Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NTP

Hi,

Is it possible to make a Router as an NTP Server.

My requirement is to allow Windows Domain controller to connect to NTP Server to synchronise the time and then all other server will point to Domain Controller.

Looking for a best options

12 REPLIES

Re: NTP

What kind of router are you using? We have our Catalyst 6513 set up as NTP server. Tehse are some of the commands:

ntp authenticate

ntp clock-period xxxxx

ntp master

ntp peer 192.43.244.18

Thanks,

Mohamad

Hall of Fame Super Silver

Re: NTP

Ronald

It is certainly possible to configure your router to act as an NTP server for the devices in the Windows network. The best solution for this is to configure the router to learn NTP time from one of the available NTP servers in the Internet. If the router has learned authoritative time from an Internet NTP server then it will automatically act as an NTP server for the devices in your network.

If, for some reason, you do not configure your router to learn NTP time from an Internet NTP server, then you would use the ntp master command on your router to have it act as an NTP server for your network. Based on your description you do not need the ntp authenticate command and you should not configure the ntp clock-period command as suggested by Mohamad. The ntp peer command which he suggests is the command to have your router learn NTP time from an NTP server and the 192.43.244.18 is one of the available public NTP servers so it would be good to use this in your router.

note: if you learn time from an Internet NTP server you do not need the ntp master command. You would need the ntp master command only if your router is not learning time from any other source. I suggest that you just use this and be done with it:

ntp peer 192.43.244.18

HTH

Rick

Blue

Re: NTP

Rick:

As usual, very informative and complete.

Rated it.

Victor

New Member

Re: NTP

Do I need to open any ports on the ASA Firewall to allow traffic from Windows Domain Controller to the router and vice-versa

Internet----IRTR---Firewall-----Layer3-Switch-----Windows-Server

Thats the setup I have.

Hall of Fame Super Silver

Re: NTP

Ronald

You would need to open up UDP port 123.

HTH

Rick

Hall of Fame Super Gold

Re: NTP

Hi Ronald,

I agree with Rick. NTP "clock-period" is auto-generated by the appliance so I always remove this from my config documents.

You can go to the NTP website (http://support.ntp.org/bin/view/Servers/WebHome) and choose from the list of Public Pool, Primary or Secondary and drill down to your region.

Again with Rick, I'd avoid using "NTP Master" if you have your NTP is authoritative.

New Member

Re: NTP

Hi,

In my scenario.

The Router will learn NTP time from one of the available NTP servers in the Internet.

I have only configured the router with "ntp peer 192.43.244.18"

The output are :-

sh ntp associations

address ref clock st when poll reach delay offset disp

*~192.43.244.18 .ACTS. 1 10 64 175 259.0 3.67 2.1

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Do I need to add any security parameter to it, or any missing config

Hall of Fame Super Gold

Re: NTP

Hi Ronald,

Do you see the "*" symbol? It means that that IP Address you've provided is now the "master" time. The third column shows that this is an authoritative time, the "1", means that this is the highest.

To verify, do a "show clock". If your time does not have a "." symbol in the beginning, then it means that your appliance is synchronized to a clock source.

New Member

Re: NTP

Thanks.

If you have noticed I have just entered basic reqd command for NTP, is there any security issues with this.

Bit concern about security, any suggestions

Hall of Fame Super Gold

Re: NTP

NTP has an option to use either authentication-key or trust-key.

You can also put an ACL.

Hall of Fame Super Silver

Re: NTP

Ronald

What you have configured is typically enough when you learn time from one of the public Internet NTP servers. You might configure some authentication or access lists as suggested by Leo for NTP within your own network. But it is not common to do that with the public Internet NTP servers.

Most people regard the security risk in doing NTP with public Internet NTP servers as slight risk. If you are concerned about that risk the alternative is to purchase some device with atomic clodk and to generate your own authoritative time without using the public Internet NTP servers.

HTH

Rick

New Member

Re: NTP

Thanks to all..

225
Views
9
Helpful
12
Replies
CreatePlease to create content