Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NTP Server - Security Question

Hi

I want to configure NTP Server on a router and it would be the only source for all other devices on the network ( server /routers / linux_boxes ).

The Router would be directly connected to internet via public IP on one interface.

How do I secure the router for NTP Server role only.

Router# conf t
Router# ntp server 192.168.1.15   #(Public IP
Router# ntp server 172.32.10.55   # Public IP
Router# clock timezone PST -8

any other NTP Public Server recommended?

8 REPLIES
Hall of Fame Super Gold

Re: NTP Server - Security Question

"192.168.1.15" & "172.32.10.55" are not PUBLIC IP addresses.

any other NTP Public Server recommended?

Here's a list of NTP/SNTP public servers:

http://support.microsoft.com/kb/262680

Hope this helps.  Please don't forget to rate useful posts.  Thanks.

Re: NTP Server - Security Question

Just a comment:

"192.168.1.15" & "172.32.10.55" are not PUBLIC IP addresses.

172.32.x.x is a public IP.

The private range from class B is only 172.16.0.0 - 172.31.255.255

Federico.

Re: NTP Server - Security Question

Hi,

Configure the router as a NTP server with stratum 1 and authentication on client and server. Stratum 1 will be the preferred server over servers with stratum higher than 1, also you may authenticate clients with server..

Client

R2(config)#ntp authenticate
R2(config)#ntp authentication-key 1 md5 CISCO
R2(config)#ntp trusted-key 1
R2(config)#ntp server 12.0.0.1 key 1

Server

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ntp master 1
R1(config)#ntp authentication-key 1 md5 CISCO

Hope this helps

Hitesh Vinzoda

Pls rate useful posts

Re: NTP Server - Security Question

Hi

I want to configure NTP Server on a router and it would be the only source for all other devices on the network ( server /routers / linux_boxes ).

The Router would be directly connected to internet via public IP on one interface.

How do I secure the router for NTP Server role only.

Router# conf t
Router# ntp server 192.168.1.15   #(Public IP
Router# ntp server 172.32.10.55   # Public IP
Router# clock timezone PST -8

any other NTP Public Server recommended?

Hi,

Use authentication or access list on ntp server cofiguration so that only authenticated client which are having key can be sync with the ntp server,check out the below link for ntp server configuration on switches/router along with authentication/access list.

https://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd303.html#wp1001170

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Community Member

Re: NTP Server - Security Question

Hi

I tested attached config, but doesnt work.


Server -

NTP(config)# conf t
NTP(config)# clock timezone PST -8
NTP(config)# ntp server clock.via.net 
NTP(config)# ntp server nist1.symmetricom.com
NTP(config)#ntp master 1
NTP(config)#ntp authentication-key 1 md5 brief1


Client -
Rx(config)#ntp authenticate
Rx(config)#ntp authentication-key 1 md5 brief1
Rx(config)#ntp trusted-key 1
Rx(config)#ntp server 192.168.1.90 key 1

=============================================

Re: NTP Server - Security Question

Hi

I tested attached config, but doesnt work.


Server -

NTP(config)# conf t
NTP(config)# clock timezone PST -8
NTP(config)# ntp server clock.via.net 
NTP(config)# ntp server nist1.symmetricom.com
NTP(config)#ntp master 1
NTP(config)#ntp authentication-key 1 md5 brief1


Client -
Rx(config)#ntp authenticate
Rx(config)#ntp authentication-key 1 md5 brief1
Rx(config)#ntp trusted-key 1
Rx(config)#ntp server 192.168.1.90 key 1

=============================================

Hi Saquib,

Are you able to reach the ntp server clock.via.net from your switch and you need to configure ntp master 3 or 2 on your switch,As trusted is configure as startum 1 in ntp time server which is configured to sync with your switches.

Hope to Help !!

Ganesh.H

Community Member

Re: NTP Server - Security Question

Hi Ganesh,

I have NTP Server sync issue with NTP global server and NTP client cannot sync with NTP Server

but, NTP server can reach internet.

NTP client can ping NTP Server.

M i missing some config

Community Member

Re: NTP Server - Security Question

Hi

Please check this link, works like a charm for me. it doesn't cover completely your objective but is pretty close,

http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

pls look for Cisco cookbook and check Recipe 14.7 Setting the Router as the NTP Master for the Network

14.7.1 Problem You want to use the router as an NTP server to act as the primary time source for the network.

And of course this one http://support.ntp.org/bin/view/Support/ConfiguringNTP

Note  access control lists between the router and its NTP peer may prevent ping traffic from passing, but allow NTP (or vice versa):

What did the debug(s) telling you? the Linxuses and Cisco's Windows? obviously did you enable ntp on the appropiate interfaces?

debug ntp packets

( and turn on "term mon" to see what happens on you cisco  when finished turn it off --> term no mon & no debug all)

show ntp associations

pin ntp server ip address

debug ntp packet

Goodluck!

1535
Views
0
Helpful
8
Replies
CreatePlease to create content