Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need help with NTP service on Cisco routers

Hi,

I am planning to deploy NTP service in our network, the centralised model: our head office border Internet Cisco 871 will synch with 3 Internet NTP servers, our head office core Cisco 1811 will synch with the latter, and all other network devices, AD domain forest root PDC emulator and all standallone PCs will synch with core Cisco 1811.

I have read the following:

Configuration Fundamentals and Network Management Commands
Performing Basic System Management
Hardening Cisco Routers: Chapter 10: NTP.

Almost everything is clear, but still have some questions.

1. We are located in Armenia, UTC +4, summer time lasts from last Sunday March to last Sunday October.

How should I setup my border router? Does Cisco have timezone code for Armenia?

Googling brings to me AMT and AMST as Armenian time and Armenian Summer time, but I saw also another correspondents for AMT (American time or something like that).

As I know, if AMT and AMST are valid for Cisco routers I can achieve my target this way:

Router# clock timezone AMT +4
Router# clock summer-time AMST +5 recurring last Sun Mar 2:00 last Sun Oct 2:00

Are the codes valid for Cisco?

Are the commands correct?

2. It is written: as soon as Cisco router is setup to synch with an authoritative time server it is ready to serve itself as NTP server.

Question: how the router knows the server is authoritative? Or just any external NTP server will be authoritative? Or this is integrated into NTP protocol: to verify\proof authority?

3. Do I need to disable NTP on external interfaces, if I have access-lists on all my routers ext. interfaces, which do not specifically permit NTP or UDP port 123 and ends with "deny ip any any"?

I know NTP server service is autoactivated on all interfaces as soon as Cisco router is setup to synch with an authoritative time server. Does NTP service also automake holes in filters?

4. Is it reasonable to setup the above mentioned border Cisco as an ntp master just in case. I mean, when there is no connection to time servers => the border Cisco will not function as NTP server and if this happens on the Cristmas holidays we will not have a time server up to 10 days. (Honestly, I don't think it will make problems, especially in case we use "ntp update-calendar" to keep hardware clocks correct).

Thanks in advance,

Alen

4 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

I hope that these help to answer your questions:

1) In the commands clock timezone and clock summertime the router does not care what letters you specify, this is just a character string to the router and is not a time "code". So AMT and AMST will be just fine (and so would any other characters that you might want to use.

2) Part of the NTP negotiation is to determine whether the server is authoritative. The generally recognized Internet time servers will all be authoritative.

3) If you disable NTP on the external interface then you will prevent your router from learning NTP from any Internet source. And NO the router NTP does not automatically make holes in filters. The filters will filter as you configure them, and if you configure them to deny UDP 123 then NTP will not work.

4) I would advocate that you NOT configure your router as "master" just in case. If you have Internet connectivity and if the router is configured with 3 Internet servers then the router should learn NTP from at least one of them.

HTH

Rick

Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

I misunderstood your point. Since the rest of 3) was asking about access lists I assumed that you were talking about disabling NTP by configuring access lists. Your source is correct about the ntp disable command.

HTH

Rick

Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

You asked:

- will the router transfer this info to its NTP clients?

No the router will not transfer information about time zone to its clients. The specification of NTP is very clear that it always communicates time using UTC and that any adjustment for loca time zone is the responsibility of the client. So the router learns time in UTC and makes the adjustments that we have been discussing for local time. And the router will communicate time in UTC to its clients and its clients must make their own adjustment for local time.

- if not and this code is just for a local display purposes, will the  router at least change its clients time to summer time when time comes?

No the router will not change its clients time for summer time. It transmits time in UTC and it is up to the client to make adjustments for local environments.

- then what is the right strategy for the clients (local, own) settings  for time zone and summer time change?

For Windows machines the right strategy is pretty simple - Windows provides a setting where you can set the local time zone. Windows assumes that it will learn NTP using UTC and will make the adjustments. For routers and switches in your network you will need to make the configuration changes in them to specify time zone offsets and summer time (as we have been discussing).

If you are running a stateful firewall on the router and the router generates an outgoing NTP request, then I would expect that the stateful firewall would accept the response. I interpreted your previous questions about access lists to be in the context of normal router access lists and not so much in the context of stateful firewall. In normal access list processing the router will not automatically create a hole in your access list for NTP just because NTP is enabled by default.

Yes I believe that the configuration you give is correct.

Router# clock timezone AMT +4

Router# clock summer-time  AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

HTH

Rick

Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

I agree that the stateful firewall should create a dynamic entry to permit responses from the Internet NTP servers to the request sent by the router. I can not tell from what we see at this point whether the problem is in the access list and the stateful firewall or whether it might be something else.

As an experiment I would suggest that you remove the ntp disable commands from the interfaces and see if that makes any difference.

If the problem still persists then I would suggest that you run debug ntp (perhaps debug ntp packet) to try to determine what you are sending and what, if anything, you get in response. (note that you may need to enable logging monitor or change the severity level of logging buffered to debug to be able to see the debug output)

In your previous post you ask about configuring and using an access list to control ntp activity. I am not sure that I see much reason for that in your situation, and I certainly would not start doing something like that until I had NTP running successfully.

HTH

Rick

22 REPLIES
Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

I hope that these help to answer your questions:

1) In the commands clock timezone and clock summertime the router does not care what letters you specify, this is just a character string to the router and is not a time "code". So AMT and AMST will be just fine (and so would any other characters that you might want to use.

2) Part of the NTP negotiation is to determine whether the server is authoritative. The generally recognized Internet time servers will all be authoritative.

3) If you disable NTP on the external interface then you will prevent your router from learning NTP from any Internet source. And NO the router NTP does not automatically make holes in filters. The filters will filter as you configure them, and if you configure them to deny UDP 123 then NTP will not work.

4) I would advocate that you NOT configure your router as "master" just in case. If you have Internet connectivity and if the router is configured with 3 Internet servers then the router should learn NTP from at least one of them.

HTH

Rick

New Member

Re: Need help with NTP service on Cisco routers

Dear Richard,

Thank you very much for your clarifications. Almost all is clear now.

You wrote: "3) If you disable NTP on the external interface then you will prevent  your router from learning NTP from any Internet source."

I see here: http://oreilly.com/catalog/hardcisco/chapter/ch10.html

the following:

"ntp disable

The ntp disable command can be used on a per-interface basis. When applied to an interface, the command keeps the interface from acting as an NTP server, but still allows it to serve as an NTP client. This is the recommended configuration for external interfaces."

Who is right?

Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

I misunderstood your point. Since the rest of 3) was asking about access lists I assumed that you were talking about disabling NTP by configuring access lists. Your source is correct about the ntp disable command.

HTH

Rick

New Member

Re: Need help with NTP service on Cisco routers

Dear Richard, you wrote:

"1) In the commands clock timezone and clock summertime the router does  not care what letters you specify, this is just a character string to  the router and is not a time "code". So AMT and AMST will be just fine  (and so would any other characters that you might want to use".

Now I have questions on this. If it is not a time zone standard code, then:

- will the router transfer this info to its NTP clients? (I mean, will they receive and show their time zones as AMT?)

- if not and this code is just for a local display purposes, will the router at least change its clients time to summer time when time comes?

- then what is the right strategy for the clients (local, own) settings for time zone and summer time change? (I am asking both for network devices and for Windows based PCs)

"3) If you disable NTP on the external interface then you will prevent  your router from learning NTP from any Internet source. And NO the  router NTP does not automatically make holes in filters. The filters  will filter as you configure them, and if you configure them to deny UDP  123 then NTP will not work."

In your last post you wrote that I would prevent NTP functioning if I have closed NTP port (UDP 123). Indeed as I said I do not specifically open UDP 123 and all of my ACLs (for ext. interfaces) ends with "deny ip any any".

But! I also have stateful firewall activated on those interfaces, isn't this enough? (Enough for two things: for the border router to be safe and not provide NTP server role, be invisible as NTP server for outsiders, and properly work as NTP client of Internet time servers)

Thank you very much.

P.S. One more thing:

Isn't it necessary to mention also summer time offset (in all examples I saw, the summer time offset was not mentioned, like the router knows it by the time code or there is a default value). Well I have just read that there is a default value for summer-time command = 1hour and this offset is relative to winter time, not UTC. Thus the correct config would be (assuming summer offset is +1 from the winter time):

Router# clock timezone AMT +4

Router# clock summer-time  AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

Is it?

Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

You asked:

- will the router transfer this info to its NTP clients?

No the router will not transfer information about time zone to its clients. The specification of NTP is very clear that it always communicates time using UTC and that any adjustment for loca time zone is the responsibility of the client. So the router learns time in UTC and makes the adjustments that we have been discussing for local time. And the router will communicate time in UTC to its clients and its clients must make their own adjustment for local time.

- if not and this code is just for a local display purposes, will the  router at least change its clients time to summer time when time comes?

No the router will not change its clients time for summer time. It transmits time in UTC and it is up to the client to make adjustments for local environments.

- then what is the right strategy for the clients (local, own) settings  for time zone and summer time change?

For Windows machines the right strategy is pretty simple - Windows provides a setting where you can set the local time zone. Windows assumes that it will learn NTP using UTC and will make the adjustments. For routers and switches in your network you will need to make the configuration changes in them to specify time zone offsets and summer time (as we have been discussing).

If you are running a stateful firewall on the router and the router generates an outgoing NTP request, then I would expect that the stateful firewall would accept the response. I interpreted your previous questions about access lists to be in the context of normal router access lists and not so much in the context of stateful firewall. In normal access list processing the router will not automatically create a hole in your access list for NTP just because NTP is enabled by default.

Yes I believe that the configuration you give is correct.

Router# clock timezone AMT +4

Router# clock summer-time  AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

HTH

Rick

New Member

Re: Need help with NTP service on Cisco routers

Dear Richard,

It was a pleasure to receive your help.

Thank you very much.

For now I have no more questions about NTP, but when I'll have I'll ask you again.

Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

I am glad that my information was helpful and that your questions about NTP are resolved. Thank you for the ratings and for marking the question as resolved. It makes the forum more useful when people can read a question and can know that responses were able to successfully resolve the question.

I encourage you to continue your participation in the forum.

HTH

Rick

New Member

Re: Need help with NTP service on Cisco routers

I am sorry for coming back so soon, but I have a problem while deploying NTP.

The problem is on the Internet border Cisco 871.

Here are the respective parts of my config:

clock timezone AMT 4
clock summer-time AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

! access-list for external interface FA4

ip access-list extended fa4_in
permit udp host 173.14.47.149 eq ntp host x.y.z.t
permit udp host 208.66.175.36 eq ntp host x.y.z.t
permit udp host 64.125.78.85 eq ntp host x.y.z.t
deny   ip any any

ntp server 173.14.47.149
ntp server 208.66.175.36
ntp server 64.125.78.85

I had to add permissions for NTP servers, because stateful firewall did not help, may be because I have nat enabled for only one host (Wingate WAN ip, which is connected to border Cisco's LAN, and there is no NAT for the latter).

Anyway, I create permissions and its already 20-30 minutes I see this:

InternetBorderRouter#show ntp as

  address         ref clock       st   when   poll reach  delay  offset   disp
~173.14.47.149   .INIT.          16      -   1024     0  0.000   0.000 15937.
~208.66.175.36   .INIT.          16      -   1024     0  0.000   0.000 15937.
~64.125.78.85    .INIT.          16      -   1024     0  0.000   0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

InternetBorderRouter#show ntp st
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 249.9684 Hz, actual freq is 249.9684 Hz, precision is 2**16
reference time is 00000000.00000000 (04:00:00.000 AMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.06 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000000000 s/s
system poll interval is 64, never updated.

What did I forget?

Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

Can you clarify what the address in the access list x.y.z.t represents?

I would think that your access list should work, but you might try adding these lines to it as an experiment:

permit udp host 173.14.47.149 host x.y.z.t eq ntp
permit udp host 208.66.175.36 host x.y.z.t eq ntp
permit udp host 64.125.78.85  host x.y.z.t eq ntp

Also can you post the output of the command

show run | include ntp

HTH

Rick

New Member

Re: Need help with NTP service on Cisco routers

- Can you clarify what the address in the access list x.y.z.t represents?

It is the routers WAN ip (it is public ip).

Here is InternetBorderRouter#show run | include ntp

ntp disable
ntp disable
permit udp host 173.14.47.149 eq ntp host x.y.z.t
permit udp host 208.66.175.36 eq ntp host x.y.z.t
permit udp host 64.125.78.85 eq ntp host x.y.z.t
permit udp host 173.14.47.149 eq ntp host a.b.c.d
permit udp host 208.66.175.36 eq ntp host a.b.c.d
permit udp host 64.125.78.85 eq ntp host a.b.c.d
ntp server 173.14.47.149
ntp server 208.66.175.36
ntp server 64.125.78.85

You can see two filters and two times of "ntp disable" because I have two providers for resilience. ISP2 is the main provider, I used administrative distance and ip sla (pinging of 2 root Internet DNS servers) to provide 2 ISPs functioning.

Here is the full config, just in case:

InternetBorderRouter#show run

Building configuration...

Current configuration : 4862 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no service dhcp

!

hostname InternetBorderRouter

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 6

logging message-counter syslog

logging buffered 131072 notifications

no logging console

no logging monitor

enable secret 5 $1$A1mG$IBEIdMqCxKDr4EC9H45tA1

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone AMT 4

clock summer-time AMST recurring last Sun Mar 2:00 last Sun Oct 2:00

!

!

dot11 syslog

no ip source-route

ip arp proxy disable

no ip gratuitous-arps

!

!

!

!

ip cef

no ip bootp server

ip inspect name internet icmp

ip inspect name internet tcp

ip inspect name internet udp

login block-for 60 attempts 3 within 5

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username ----- secret 5 $1$1nfq$z6u1D4a8js2QO83GWYrR20

!

!

!

archive

log config

  logging enable

  logging size 900

  notify syslog contenttype plaintext

  hidekeys

path flash:Backed-up-Config

maximum 5

write-memory

time-period 1440

!

!

!

track 10 ip sla 1 reachability

delay down 10 up 15

!

track 20 ip sla 2 reachability

delay down 10 up 15

!

!

!

interface Loopback0

no ip address

!

interface FastEthernet0

description SwitchPort_VLAN10_To-LAN

switchport access vlan 10

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

description SwitchPort_VLAN13_To-ISP1

switchport access vlan 13

!

interface FastEthernet4

description To-ISP2

ip address x.y.z.t 255.255.255.192

ip access-group fa4_in in

no ip redirects

no ip unreachables

ip nat outside

ip inspect internet out

ip virtual-reassembly

duplex auto

speed auto

ntp disable

!

interface Vlan1

no ip address

!

interface Vlan10

description To-LAN

ip address 192.168.200.51 255.255.255.224

ip nat inside

ip virtual-reassembly

!

interface Vlan13

description To-ISP1

ip address a.b.c.d 255.255.255.252

ip access-group vlan13_in in

no ip redirects

no ip unreachables

ip nat outside

ip inspect internet out

ip virtual-reassembly

ntp disable

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 a.b.c.d 4 track 10

ip route 0.0.0.0 0.0.0.0 x.y.z.t track 20

ip route 192.5.5.241 255.255.255.255 a.b.c.d name To_RootDNS-1_ISP1-SLA

ip route 199.7.83.42 255.255.255.255 x.y.z.t name To_RootDNS-2_ISP2-SLA

no ip http server

no ip http secure-server

!

!

ip nat translation timeout 14400

ip nat translation tcp-timeout 14400

ip nat translation icmp-timeout 1800

ip nat inside source route-map fa4 interface FastEthernet4 overload

ip nat inside source route-map vlan13 interface Vlan13 overload

!

ip access-list extended fa4_in

permit icmp host 199.7.83.42 host x.y.z.t

permit udp host 173.14.47.149 eq ntp host x.y.z.t

permit udp host 208.66.175.36 eq ntp host x.y.z.t

permit udp host 64.125.78.85 eq ntp host x.y.z.t

deny   ip any any

ip access-list extended nat_fa4

permit ip host 192.168.200.41 any

deny   ip any any

ip access-list extended nat_vlan13

permit ip host 192.168.200.41 any

deny   ip any any

ip access-list extended vlan13_in

permit icmp host 192.5.5.241 host a.b.c.d

permit udp host 173.14.47.149 eq ntp host a.b.c.d

permit udp host 208.66.175.36 eq ntp host a.b.c.d

permit udp host 64.125.78.85 eq ntp host a.b.c.d

deny   ip any any

!

ip sla 1

icmp-echo 192.5.5.241 source-interface Vlan13

timeout 2000

threshold 1000

frequency 3

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 199.7.83.42 source-interface FastEthernet4

timeout 2000

threshold 1000

frequency 3

ip sla schedule 2 life forever start-time now

logging trap notifications

logging facility local2

logging source-interface Loopback0

no cdp run

!

!

!

!

route-map vlan13 permit 10

match ip address nat_vlan13

match interface Vlan13

!

route-map fa4 permit 10

match ip address nat_fa4

match interface FastEthernet4

!

!

control-plane

!

!

line con 0

exec-timeout 5 0

no modem enable

transport output ssh

line aux 0

exec-timeout 5 0

transport preferred none

transport output none

line vty 0 4

exec-timeout 5 0

privilege level 15

transport input ssh

transport output none

!

scheduler max-task-time 5000

ntp server 173.14.47.149

ntp server 208.66.175.36

ntp server 64.125.78.85

end

BTW, one more question: as you can see, I disabled ntp on both WAN interfaces. Now only LAN can serve as NTP server interface. Besides, 3 Internet NTP servers are set by "ntp server" commands. The question is: do I need to additionaly restrict access to NTP service on LAN (by using "ntp access-group serve-only") to be sure no any host can make control queries to the router's NTP server?

New Member

Re: Need help with NTP service on Cisco routers

Richard,

One thing is still strange for me, why doesn't stateful firewall make holes? (In case the problem is in access-list)

As you can see I have it enabled.

Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

I agree that the stateful firewall should create a dynamic entry to permit responses from the Internet NTP servers to the request sent by the router. I can not tell from what we see at this point whether the problem is in the access list and the stateful firewall or whether it might be something else.

As an experiment I would suggest that you remove the ntp disable commands from the interfaces and see if that makes any difference.

If the problem still persists then I would suggest that you run debug ntp (perhaps debug ntp packet) to try to determine what you are sending and what, if anything, you get in response. (note that you may need to enable logging monitor or change the severity level of logging buffered to debug to be able to see the debug output)

In your previous post you ask about configuring and using an access list to control ntp activity. I am not sure that I see much reason for that in your situation, and I certainly would not start doing something like that until I had NTP running successfully.

HTH

Rick

New Member

Re: Need help with NTP service on Cisco routers

Dear Richard,

Yesterday I totally removed the access-list from interface FA4 (the one looking on main ISP). Result - no change. => The problem is not in access-lists.

Now I am removing "ntp disable" from both WAN interfaces.

I'll report in several minutes.

New Member

Re: Need help with NTP service on Cisco routers

Report:

  address         ref clock       st   when   poll reach  delay  offset   disp
~173.14.47.149   .ACTS.           1     14     64    77  0.000   3.807 190.26
~208.66.175.36   .ACTS.           1     21     64    77  0.000  -0.381 190.41
*~64.125.78.85    .ACTS.           1     23     64    77  0.000  -0.191 190.62
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

Clock is synchronized, stratum 2, reference is 64.125.78.85
nominal freq is 249.9684 Hz, actual freq is 249.9684 Hz, precision is 2**16
reference time is CFCD7115.E719AFF8 (10:52:21.902 AMST Thu Jun 24 2010)
clock offset is 0.0031 msec, root delay is 0.25 msec
root dispersion is 0.07 msec, peer dispersion is 0.06 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000002 s/s
system poll interval is 64, last update was 1 sec ago.

Finally, it is working. I think we can conclude that: "ntp disable" disables NTP service at all, not only NTP server service!

The source of the info I mentioned earlier was incorrect about this.

About my last question: I want to be sure that no any "inimical" or rogue NTP client\peer\server placed in my LAN\Intranet can control my NTP server - router using NTP control queries. I am just not sure, that it is technically possible in case the latter is setup to synch from the particular external authoritative NTP servers.

So, the main question is: is it possible to control a router - NTP server, configured to synch from authoritative external NTP servers, from inside via sending to its LAN interface NTP control queries and how dangerous is it?

New Member

Re: Need help with NTP service on Cisco routers

Well, everything is working fine now.

I want to add one more thing for the people who will go the same way: there is a problem while making Windows systems to synch from Cisco routers. The official way MS proposed for setting external NTP server on Windows is not working properly in the case.

http://support.microsoft.com/kb/314054#EXTERNAL

http://support.microsoft.com/kb/816042/

As a working alternative I found this receipt:

http://etherealmind.com/ios-configure-windows-2003-xp-use-ntp-server-sync-time-clock-router/

In short you need to do the following:

Configuring Windows 2003 / XP SP2 to Use IOS NTP Server

Stop the Windows Time Service using the CLI.
C:\Program Files\Support Tools>
net stop w32time

Here comes the magic part:
w32tm /config /manualpeerlist:"192.168.0.1,192.168.200.51",0x8 /syncfromflags:MANUAL

The peer list must be enclosed.
Use the 0×8 flag to force W32time to send normal client requests instead of symmetric active mode packets (a la the Microsoft way). The NTP server replies to these normal client requests as usual.

Restart the Windows Time Service and then force a sync.
net start w32time
w32tm /resync

I tried it, it is working since yesterday. Almost properly. Almost, because:

1) "update now" button works not always, but this could be normal / explainable, I watched for autosynch and it was working fine;

2) I see only 3 events and they are for yesterday evening (in the OS event viewer):

Event Type:    Information
Event Source:    W32Time
Event Category:    None
Event ID:    35
Date:        24/06/10
Time:        19:32:57
User:        N/A
Computer:    ITHEAD
Description:
The time service is now synchronizing the system time with the time source 192.168.0.1 (ntp.m|0x8|192.168.0.220:123->192.168.0.1:123).

and that's all. Meanwhile when I look in Date and Time Properties window I can see that today some time ago time was successfully updated from the core Cisco!?).

So it is working, but I don't like these strange things happening. I am worrying because I am going to setup my forest root PDC emulator plus some standalone critical servers to be synched from the Cisco...

New Member

Re: Need help with NTP service on Cisco routers

Oh-h.

Since yesterday evening NTP service is not working. I can't see any reason except "wrong" NTP clients which made border router - our main NTP server crazy.

Even router reloading did not help, which is very strange as one day earlier everything was working fine with the same config!?

Anyway, yesterday I decided to restrict access to NTP service using ntp access-groups. I added this on the border Cisco (according to what I have read from "Hardening Cisco Router", chapter 10, NTP):

access-list 41 permit 192.168.200.41 0.0.0.0

access-list 41 deny any

ntp access-group serve-only 41

(192.168.200.41 is the ip of Wingate, which is also making NAT for the core Cisco 1811. They both: WIngate and core Cisco have to synch from the border Cisco 871. All others will synch from the core router.)

The border router did not synch with public NTP servers, I could not do anything and went home late. At home I decided to check if the access-group could prevent the router from synching from NTP servers. I checked in Internet and found a couple of examples showing that when you use ntp access-groups, you should also create one more access-group to allow your device to synch from its NTP servers!

So today I added this:

access-list 42 permit 64.125.78.85

access-list 42 permit 173.14.47.149

access-list 42 permit 208.66.175.36

access-list 42 deny   any

ntp access-group peer 42

And now I have this (a.b.c.d is the ip of interface looking at ISP1, x.y.z.t - ISP2):

InternetBorderRouter#show run | inc ntp
permit udp host 173.14.47.149 eq ntp host x.y.z.t
permit udp host 208.66.175.36 eq ntp host x.y.z.t

permit udp host 64.125.78.85 eq ntp host x.y.z.t

permit udp host 173.14.47.149 eq ntp host a.b.c.d
permit udp host 208.66.175.36 eq ntp host a.b.c.d
permit udp host 64.125.78.85 eq ntp host a.b.c.d
ntp access-group peer 42
ntp access-group serve-only 41
ntp server 173.14.47.149
ntp server 208.66.175.36
ntp server 64.125.78.85

And you know, it started to work again!!!

Oh-h.

Now I am going to make the same additions to the core Cisco 1811, and I think I have to do the same for the branches Cisco 871...

P.S. About my last question to Richard, I think now we know the answer.

New Member

Re: Need help with NTP service on Cisco routers

Here is my last question I mentioned above:

"About my  last question: I want to be sure that no any "inimical" or rogue NTP  client\peer\server placed in my LAN\Intranet can control my NTP server -  router using NTP control queries. I am just not sure, that it is  technically possible in case the latter is setup to synch from the  particular external authoritative NTP servers.

So, the main question is: is it  possible to control a router - NTP server, configured to synch from  authoritative external NTP servers, from inside via sending to its LAN interface NTP control  queries and how dangerous is it?"

And one more thing, I just checked "Hardening Cisco Router", chapter 10, NTP, in their example there were no access-group for the router's NTP servers! So it was not my fault.

Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

It is not particularly well documented but in my experience if a router is learning NTP from some server and also is providing NTP to some clients and if you want to use one of NTP access restrictions (serve-only or peer) then you need to use both of them. It is unfortunate that the discussion in Hardening Cisco Routers did not make that point.

I am glad that you have figured out so much about NTP. Thank you for posting to the forum how you got the Windows clients to work with Cisco for NTP. I think that many people will find that useful.

HTH

Rick

New Member

Re: Need help with NTP service on Cisco routers

Dear Richard, I am happy to do something useful.

BTW: About synching MS Windows machines, in the articles of MS I mentioned earlier, in the section named: "Configuring the Windows Time service to use an external time source", among other steps it is written to change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPServer\Enabled to "1".

One following instructions (me, for example) can just mechanically make the change and get as many NTP servers as many machines he "prepare" to be NTP clients of an external NTP server.

I don't know why MS put this step in the section of "Configuring the Windows Time service to use an external time source"...

So be carefull, don't change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPServer\Enabled key value, unless you want the windows machine to be a time server.

New Member

Re: Need help with NTP service on Cisco routers

rburts wrote:

It is unfortunate that the discussion in Hardening Cisco Routers did not make that point.

BTW, the mistake about "ntp disable" was also from that book! "Good" book...

Hall of Fame Super Silver

Re: Need help with NTP service on Cisco routers

Alen

You have learned a lot about how to implement NTP (and protect NTP) on Cisco routers. And you have found some errors in the article about Hardening Cisco Routers.

We wish that the technical articles that we use would be flawless, but that rarely happens. It has been quite a while since I looked at that article, but my memory is that they were quite correct about a lot of aspects (and they missed a few). It is in discussion in forums such as this that we can fine tune the presentation of these details. I hope that you will continue to investigate how the details of networking really work and that you will continue to post the results of what you find.

HTH

Rick

New Member

Re: Need help with NTP service on Cisco routers

Dear Richard,

Thank you very much for your help. I think I get almost all answers about deploying centralised NTP service in small company using Cisco routers.

P.S. In fact today I mentioned, that I still have problems with core Cisco, it can not constantly synch from the border Cisco, but I feel I'll fix it.

Possibly the problem is either in fact I (accidentally) made Wingate an NTP server, or because two hosts (core Cisco and Wingate) are both synching from the border router under the same ip (Wingate makes NAT for the core Cisco). I changed Wingate back to NTP client and I will change it to synch from the core Cisco if the first step does not help. Hope this will solve my problems.

I'll report if something interesting happens...

See you in my new threads.

6628
Views
0
Helpful
22
Replies