Config of Clock Set, NTP Server / Client, Authentication, but first Fundamentals!
Without NTP not only is your network logging going to be a nightmare to match up, but various other services rely on NTP being correct, which is why my configuration of a local MLS being the Master Clock is a TERRIBLE idea!
When configuring NTP on your LAN switches, you will want to check the website for Atomic Clock addresses in all Regions of the world at pools.ntp.org as they have extensive lists of servers for use.
Also be sure to allow outbound UDP Port 123 (NTP) on your Firewalls / Edge devices.
NTP also keeps things like QoS, SLA, and other services running so it needs to be set for any sort of advanced feature set to be deployed on the network (or keep track of logs).
Configuration of “clock set” on the NTP Master for NTP Clients!
Its a bit weird, as “clock set” and “show clock” are both done as User Priv mode:
SW1#clock set ?
hh:mm:ss Current Time
SW1#clock set 18:44:00 ?
<1-31> Day of the month
MONTH Month of the year
SW1#clock set 18:44:00 august ?
<1-31> Day of the month
SW1#clock set 18:44:00 august 18 ?
<1993-2035> Year
SW1#clock set 18:44:00 august 18 2018 ?
<cr>
SW1#clock set 18:44:00 august 18 2018
SW1#
*Aug 18 18:44:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:49:41 UTC Mon Mar 1 1993 to 18:44:00 UTC Sat Aug 18 2018, configured from console by console.
SW1#
SW1#sh clock
18:49:29.932 UTC Sat Aug 18 2018
SW1#
BUT THIS IS FAR FROM OVER JUST YET – WE HAVE SOME MORE CLOCK CONFIG!
SW1#conf t
SW1(config)#clock ?
initialize Initialize system clock on restart
save backup of clock with NVRAM
summer-time Configure summer (daylight savings) time
timezone Configure time zone
SW1(config)#clock timezone ?
WORD name of time zone
SW1(config)#clock timezone CDT ?
<-23 – 23> Hours offset from UTC
SW1(config)#clock timezone CDT -5 ?
<0-59> Minutes offset from UTC
<cr>
SW1(config)#clock timezone CDT -5
SW1(config)#
Aug 18 19:24:14.811: %SYS-6-CLOCKUPDATE: System clock has been updated from 19:24:14 UTC Sat Aug 18 2018 to 14:24:14 CDT Sat Aug 18 2018, configured from console by console.
SW1(config)#clock init ?
nvram Enable clock restart from nvram
SW1(config)#clock init nvram ?
<cr>
SW1(config)#clock init nvram
SW1(config)#
I’m not sure the “clock initialize nvram” was really necessary, you MUST set the clock timezone if setting it locally for NTP, this is done on Global Configuration as seen!
NOW, we can get to some NTP configuration!
Configuration of the NTP “Master Server” on SW1 for NTP Clients time source
I’ll step through the long list of NTP configs here to view them all, and add a “Stratum 2” at the end, and explain why I did that:
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ntp ?
access-group Control NTP access
allow Allow processing of packets
authenticate Authenticate time sources
authentication-key Authentication key for trusted time sources
broadcastdelay Estimated round-trip delay
clock-period Length of hardware clock tick
logging Enable NTP message logging
master Act as NTP master clock
max-associations Set maximum number of associations
maxdistance Maximum Distance for synchronization
panic Reject time updates > panic threshold
passive NTP passive mode
peer Configure NTP peer
server Configure NTP server
source Configure interface for source address
trusted-key Key numbers for trusted time sources
SW1(config)#ntp master ?
<1-15> Stratum number
<cr>
SW1(config)#ntp master 2 ?
<cr>
SW1(config)#ntp master
SW1(config)#
Note there is a “Server” option in there, but that is for Clients to point them at their respective NTP Servers, we are configuring SW1 as the “Master Clock” for this network.
I also wanted to show you can manually set Stratum #’s behind the Master command, this is used to set preferences as to which Master is used, as the lower the Stratum # the more preferred.
It ranges from 1-15 because Stratum 0 is an Atomic Clock, Stratum 16 is considered unreliable / incorrect time, and the Stratum will dynamically each hop away from the NTP Time Source the NTP Client gets.
Verification commands for NTP and their output (for both Master and Clients)
(Note the following commands were showing Stratum 16 on the Master until I set the timezone, so it absolutely required for Home labs and NTP)
First I’ll check out my Master SW1 with both verify commands and highlight the parts that we as CCNP candidates are interested in.
“show ntp status”:
SW1#sh ntp status
Clock is synchronized, stratum 8, reference is 127.127.1.1
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is DF22F10E.D513457F (14:25:02.832 CDT Sat Aug 18 2018)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.39 msec, peer dispersion is 0.23 msec
loopfilter state is ‘CTRL’ (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 16, last update was 11 sec ago.
That is really the only line we need. It tells us the clock is Synchronized, it is Stratum 8 (Stratum 8 is the default Stratum # for an Cisco Device configured as NTP Master), and the reference clock is our Loopback address which means we are the reference clock!
“sh ntp assoc”:
SW1#sh ntp assoc
addre ref clock st when poll reach delay offset disp
*~ 127.127.1.1 .LOCL. 7 0 16 377 0.000 0.000 0.250
* sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured
SW1#
What we really want to see from any NTP device from this output is that *~ next to information showing that it is A. Configured and B. Peered to an NTP Server!
You can see essentially the same information, IP is the local Loopback, Reference is LOCL, though the stratum is 7 which will be demonstrated with the next NTP Client configuration coming up here!
So our NTP Master Clock is in business, time to configure some NTP Clients!
For just a bare bones NTP Client configuration it couldn’t be much easier:
SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#ntp server 10.0.0.1
SW2(config)#
Tada!
Now lets check verifications on SW2 as an NTP Client:
SW2#sh ntp status
Clock is synchronized, stratum 9, reference is 10.0.0.1
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is DF22F5CA.2AD4A159 (19:45:14.167 UTC Sat Aug 18 2018)
clock offset is -1.2113 msec, root delay is 2.61 msec
root dispersion is 7940.01 msec, peer dispersion is 0.04 msec
loopfilter state is ‘CTRL’ (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, last update was 44 sec ago.
SW2#
SW2#
SW2#
SW2#sh ntp assoc
address ref clock st when poll reach delay offset disp
*~ 10.0.0.1 127.127.1.1 8 48 64 1 1.877 -1.211 0.043
* sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured
SW2#
So we can actually see that Stratum behavior here as well, so it must mean the “Status” is THIS DEVICES Stratum, and the “sh ntp status” it shows the NTP Server Stratum, so to keep things logically running correctly the Master must makes itself a Stratum 7 in its own view of the reference clock!
Now before we configure SW3 correctly, I want to take a look at what incorrect looks like.
Configuring SW3 with incorrect NTP Server information and its verification output
I’m going to point this at Host A to show you what an incorrect NTP status looks like.
Configuration and verification all in one go:
SW3(config)#ntp server 10.0.10.101
SW3(config)#
SW3(config)#exit
SW3#
.Aug 18 19:53:15.759: %SYS-5-CONFIG_I: Configured from console by console
SW3#
SW3#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.07 msec, peer dispersion is 0.00 msec
loopfilter state is ‘FSET’ (Drift set from file), drift is 0.000000000 s/s
system poll interval is 64, never updated.
SW3#
SW3#sh ntp assoc
Clock is Unsynchronized, Stratum 16 (unreliable time), and no ref clock!
address ref clock st when poll reach delay offset disp
~ 10.0.10.101 .INIT. 16 – 64 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured
SW3#
It can be configured all day, but if that asterisk is missing for System Peer, this configuration needs some fixing – So to fix this just issue “ntp server 10.0.0.1” on SW3 and we are all set!
SW3(config)#ntp server 10.0.0.1
SW3(config)#
SW3(config)#exit
SW3#sh ntp status
Clock is synchronized, stratum 9, reference is 10.0.0.1
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is DF22FD45.2F096B41 (20:17:09.183 UTC Sat Aug 18 2018)
clock offset is 2.4332 msec, root delay is 2.06 msec
root dispersion is 9.97 msec, peer dispersion is 3.86 msec
loopfilter state is ‘CTRL’ (Normal Controlled Loop), drift is 0.000000020 s/s
system poll interval is 64, last update was 306 sec ago.
SW3#
SW3#sh ntp assoc
address ref clock st when poll reach delay offset disp
*~ 10.0.0.1 127.127.1.1 8 60 64 377 2.066 2.433 3.866
~ 10.0.10.101 .INIT. 16 – 256 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured
SW3#
I hooked in R2 to SW3 and configured it to get its time as well from SW1, however Routers can take quite a lot of time to “cook” then my 3750 switches.
A couple of important things to note from the “show ntp assoc” output:
- The “Reference” clocks will always use their own Loopback address, even though it shows they are peered with the *~, so locally it will always use local “sh clock” time
- R2 has a “ref clock” of INIT meaning that it is still Synchronizing with the NTP Master Server, and that its Stratum of 16 indicating its time is currently unreliable
Lets take a look at R2 to see if it Synchronized yet (been about 3-5 minutes)
HostB#sh ntp stat
Clock is synchronized, stratum 9, reference is 10.0.0.1
nominal freq is 250.0000 Hz, actual freq is 250.0007 Hz, precision is 2**24
reference time is DF2300CA.262D6718 (20:32:10.149 UTC Sat Aug 18 2018)
clock offset is -83.9639 msec, root delay is 1.86 msec
root dispersion is 120.89 msec, peer dispersion is 1.99 msec
loopfilter state is ‘CTRL’ (Normal Controlled Loop), drift is -0.000003002 s/s
system poll interval is 64, last update was 21 sec ago.
HostB#
HostB#sh ntp assoc
address ref clock st when poll reach delay offset disp
*~ 10.0.0.1 127.127.1.1 8 39 64 377 1.868 -83.963 1.992
* sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured
HostB#
So because SW2 is Layer 2, there was no L3 “Hop” to increment my Stratum, so I’m going to do some quick configuration for testing.
Oh well, too long of a subject for a weekend night, not going there tonight 🙂
Configuring NTP Authentication and the gotchas that come with it!
Starting with the NTP Master / Server this only takes 3 commands:
SW1(config)#ntp ?
access-group Control NTP access
allow Allow processing of packets
authenticate Authenticate time sources
authentication-key Authentication key for trusted time sources
broadcastdelay Estimated round-trip delay
clock-period Length of hardware clock tick
logging Enable NTP message logging
master Act as NTP master clock
max-associations Set maximum number of associations
maxdistance Maximum Distance for synchronization
panic Reject time updates > panic threshold
passive NTP passive mode
peer Configure NTP peer
server Configure NTP server
source Configure interface for source address
trusted-key Key numbers for trusted time sources
SW1(config)#ntp authenticate ?
<cr>
SW1(config)#ntp authenticate
SW1(config)#
This enables NTP Authentication on the Master.
SW1(config)#ntp authentication-key ?
<0-4294967295> Key number
SW1(config)#ntp authentication-key 1 ?
md5 MD5 authentication
SW1(config)#ntp authentication-key 1 md5 ?
WORD Authentication key
SW1(config)#ntp authentication-key 1 md5 CCNP ?
<0-4294967295> Authentication key encryption type
<cr>
SW1(config)#ntp authentication-key 1 md5 CCNP
SW1(config)#
Not getting crazy with Encryption type, just making a key.
SW1(config)#ntp trusted-key ?
<0-4294967295> Key number
SW1(config)#ntp trusted-key 1 ?
<cr>
SW1(config)#ntp trusted-key 1
SW1(config)#
That’s all there is to configuring Authentication for your NTP Master / Server!
The ironic thing is, it does not matter one bit if Authentication is set here, because Clients will still get there time from this Master / Server with no auth configs:
SW3#sh ntp stat
Clock is synchronized, stratum 9, reference is 10.0.0.1
This is because Authentication for NTP was not made for the NTP Master / Server to Authenticate its Clients, but the Clients to be able to Authenticate that they are using the correct NTP Master / Server for their network!
Configuring Client NTP Authentication requires a fourth command demonstrated
SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#ntp authenticate
SW3(config)#ntp authentication-key 1 md5 CCNP
SW3(config)#ntp trusted-key 1
SW3(config)#ntp server 10.0.0.1 key 1
SW3(config)#
All values must match and are case sensitive, including the key #!
As seen, the last line “ntp server 10.0.0.1 key 1” is our fourth command for Clients to Authenticate to Servers, though really they will keep pulling time either way.
So lets take a look at SW3 now that it is Authenticated:
SW3#sh ntp status
Clock is synchronized, stratum 9, reference is 10.0.0.1
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is DF230722.30B94805 (20:59:14.190 UTC Sat Aug 18 2018)
clock offset is 7.0403 msec, root delay is 7.46 msec
root dispersion is 7949.26 msec, peer dispersion is 1.73 msec
loopfilter state is ‘CTRL’ (Normal Controlled Loop), drift is 0.000000109 s/s
system poll interval is 64, last update was 138 sec ago.
SW3#sh ntp assoc
address ref clock st when poll reach delay offset disp
*~ 10.0.0.1 127.127.1.1 8 26 64 7 2.363 7.040 1.730
~ 10.0.10.101 .AUTH. 16 – 256 0 0.000 0.000 15937.
* sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured
SW3#
Note that SW3 is still Peered to SW1, however R2 is stuck in Ref Clock .AUTH. as it slowly re-associates with the NTP Master Server.
I did verify on SW2 that no Auth config is needed:
SW2#sh ntp assoc
address ref clock st when poll reach delay offset disp
*~ 10.0.0.1 127.127.1.1 8 38 256 357 2.434 -2.503 8.224
* sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured
SW2#
Notice absolutely no mention of Authentication anywhere in that output? That’s because we need the detailed version of the “sh ntp assoc” command to get that info!
“sh ntp assoc det” on SW3 to view Auth output:
SW3#sh ntp assoc detail
10.0.0.1 configured, authenticated, our_master, sane, valid, stratum 8
ref ID 127.127.1.1 , time DF23099C.D5D821A1 (21:09:48.835 UTC Sat Aug 18 2018)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.42, reach 377, sync dist 12.84
delay 3.11 msec, offset 7.2580 msec, dispersion 4.22
precision 2**17, version 4
org time DF2309A9.331990B6 (21:10:01.199 UTC Sat Aug 18 2018)
rec time DF2309A9.3200F3A9 (21:10:01.195 UTC Sat Aug 18 2018)
xmt time DF2309A9.310405D2 (21:10:01.191 UTC Sat Aug 18 2018)
filtdelay = 3.73 3.14 4.33 3.33 6.89 32.81 7.94 3.11
filtoffset = 6.15 4.62 5.11 6.05 7.51 21.33 7.72 7.25
filterror = 0.01 1.00 1.96 2.95 3.91 4.89 5.85 6.82
minpoll = 6, maxpoll = 10
^^^This is just for SW3 stats, there was another chunk of data for R2’s association!
You can see the NTP Master IP, authentication, Sane (good), valid, and Stratum #.
Configuring NTP Authentication so the Host decides who can use it as a time source!
To do this, we must create and apply an IP Access-List to our NTP Master, so it can decide at Layer 3 which hosts are going to be able to use it for a Time Source – As we do not want it used as a Public NTP Source (and to add that extra layer of security)!
This ACL configuration is done on the Server, because it is the Server deciding who can access it and what type of access they will get!
For this lab I will write a “Standard” Access-List to just name hosts to permit for use:
SW1(config)#access-list 10 permit host 10.0.0.2
SW1(config)#access-list 10 permit host 10.0.0.4
SW1(config)#ntp ?
access-group Control NTP access
allow Allow processing of packets
authenticate Authenticate time sources
authentication-key Authentication key for trusted time sources
broadcastdelay Estimated round-trip delay
clock-period Length of hardware clock tick
logging Enable NTP message logging
master Act as NTP master clock
max-associations Set maximum number of associations
maxdistance Maximum Distance for synchronization
panic Reject time updates > panic threshold
passive NTP passive mode
peer Configure NTP peer
server Configure NTP server
source Configure interface for source address
trusted-key Key numbers for trusted time sources
SW1(config)#ntp access-group ?
peer Provide full access
query-only Allow only control queries
serve Provide server and query access
serve-only Provide only server access
SW1(config)#ntp access-group serve ?
<1-99> Standard IP access list
<1300-1999> Standard IP access list (expanded range)
WORD Named access list
SW1(config)#ntp access-group serve 10 ?
kod Send a Kiss-o-Death packet for failing peers <<THE KISS OF DEATH!!!
<cr>
SW1(config)#ntp access-group serve 10
SW1(config)#
I just love that “Kiss of Death” packet, and their term “Sane” and “Insane” in the verification, NTP has some awesome wording to it.
Anyways, the irony I was going for here, is that the only device not permitted is SW3 which has Authentication enabled to the NTP Master but lets see if its still a Peer!
SW3 output after being shunned via Access-List:
SW3#sh ntp stat
Clock is synchronized, stratum 9, reference is 10.0.0.1
It still appears to be fine, but in time, it become Unsynchronized.
To demonstrate this via debug, I ran a debug on SW3, “debug ntp pack” :
SW3#
SW3#debug ntp pack
NTP packets debugging is on
SW3#
Aug 18 21:32:41.199: NTP message sent to 10.0.0.1, from interface ‘Vlan1’ (10.0.0.3).
SW3#
That’s almost sad, like waving at someone and they don’t wave back, ouch!
So lets take a look at SW3 and see what getting no wave back from SW1 did:
SW3#sh ntp stat
Clock is unsynchronized, stratum 16, no reference clock
So an NTP Master / Server Access-Control is that simple, rather than setting up Authentication for Clients to use on the LAN, pssh!
I’m going to wrap that up here, as I have a half written SLA article to get to!
SLA uses NTP, which got me to thinking I should re-visit NTP in depth, so next I’ll take a look at SLA and why exactly it really requires NTP to work!
The DEVNET GRIND! 