Cisco Network Time Protocol (NTP)

(Thomas K) #9

Rene,

Hi. What happens if I have say defined three NTP servers like below on my cisco router:

 

NTP server 10.1.1.10

NTP Server 10.1.2.10

NTP Server 10.1.3.10

 

Which NTP server will provide my router with the proper time?

 

Many thanks,

Thomas

(Rene Molenaar) #10

Hi Thomas,

I haven’t tested this but from what I’ve read, NTP prefers low stratum servers over high stratum servers unless the time difference between the local clock and the low stratum server is quite different.

On Cisco IOS, you can also use the “prefer” parameter to tell the router what NTP server to use as the primary:

ntp server 1.1.1.1 prefer

Rene

(Mohammad Hasanuz Zaman) #11

Hi Rene,
What is the use of Hardware clock as router use software clock when any event occurs.How we will fix hardware Clock when manually configured software clock.Please help me to understand it.Thx

Br/
Zaman

(Rene Molenaar) #12

Hi Zaman,

The hardware clock is used for when you reboot your device or when it’s powered off. It will keep running, unlike your software clock :slight_smile:

The software clock can sync itself with the hardware clock. This can be useful if you don’t use NTP.

Rene

(Guy G) #13

Hi Rene,

I was wondering what is the difference between the NTP versions Cisco devices let you configure (1-4)?

(Lazaros Agapides) #14

Hello Guy!

The first complete specification of NTP, that is, Version 1, appeared in 1988 (RFC 1059) which provided simple symmetric and client server mode operation.

Version 2 appeared in 1989 (RFC 1119) and added symmetric key authentication using DES-CBC.

Version 3, which is the version that is most used today was first described in 1992 (RFC 1305) and has been systematically improved over the years. It introduced formal correctness principles, revised algorithms and broadcast mode . This is the default version that is available in most Cisco devices using the 12.X IOS version, and the recommended minimum version you should use.

Version 4 extends the support of NTP to IPv6 and is available on any Cisco device that supports IPv6.

I hope this has been helpful!

Laz

(AZM U) #15

Hello Laz,
A few questions.

  1. Let’s say I have a router that is configured to receive the ntp information from a ntp server located in the internet. I have also configured the time locally by using clock set command. Which time will have more preference? In another words, which time the router will use?
  2. What is the command to change time-zone in a router?
  3. Let’s say a router is configured to sync its time from a ntp server and the ntp server is feeding UTC time to the router. However, I like the router to show EST time in the clock or let’s say in syslog message as well. How can I do it?
  4. What is the difference between hardware and software clock in a router/switch?

Thank you so much as usual for your great help .

Best Regards,
Azm Uddin

(Lazaros Agapides) #16

Hello AZM

**Question 1**
When NTP is configured on a device, there is what is called a poll interval. This interval is dynamic and as client and server become better synced, and there aren’t any dropped packets, this interval increases to a maximum of 1024 seconds. If you change the time using the clock set command, the time you set will become the new time. However, when the poll interval is exhausted, the device will re-sync with the NTP server. So any changes you make manually will be over-ridden at the next poll interval.

**Question 2**
To change the time zone of a router, use the clock timezone _zone hours-offset _ command where

* zone is the name of the zone to be displayed - this is just a label that you can define
* hours-offset is how many hours difference from UTC

You can find more information about this command here.

**Question 3**
NTP always communicates time in UTC. If you have a time zone configured on your Cisco device and it is configured as an NTP client, then it will receive the time in UTC and will convert the clock to the local time zone. However, SYSLOG messages will always indicate UTC time by default, even if you have configured a different time zone. In order to have SYSLOG messages display the local time instead of UTC time, you can achieve this with the following command: service timestamps log datetime localtime

**Question 4**
The hardware clock of a Cisco device is a hardware chip on the motherboard of the device with a rechargeable backup battery. The hardware clock functions separately from the software clock and its main purpose is to retain the time and date information after a reboot or an extended period of time where the device is powered down.

The software clock is the clock that functions during normal operation. It is maintained in memory using the CPU as a “timekeeper”. It is this clock that can be updated and synchronised with an NTP server on the network.

These two clocks work together to maintain the most accurate time. The software clock can be updated periodically from NTP, and it in turn updates the hardware clock at regular intervals. When the device is rebooted, the software clock is synchronised with the hardware clock to obtain its initial time when it begins to function.

The two clocks can be managed separately however. More information about related commands can be found here.

I hope this has been helpful!

Laz

(sreenath r) #17

Hi Rene,

Could you please brief about the comparison/differences of NTP , PTP and Sync E. Are n’t all the three protocols use for time Synchronization ? Do these sync protocols use for layer 1 signaling transmission like TDM ? Do we have any other usage of these protocols in real environment ( internet ) apart from tracking logging information ?

(Vladislav V) #18

Hi all,

Q regarding the authentication section:
Is “CoreRouter(config)#ntp authenticate” needed for the switches to authenticate the ntp updates from the core router. I believe - not? With that configuration on the CoreRouter, won’t that make the router seek authentication for the updates from the pool.ntp.org?

Cheers,
V.

(Rene Molenaar) #19

Hi Sreenath,

NTP and PTP have some similarities. NTP is the most common protocol to sync clocks on your network, that’s what you will mostly see on networks nowadays. We use it to sync the clock on network devices but also computers/servers etc. NTP uses software timestamping and supports millisecond synchronization.

PTP is similar to NTP but uses hardware timestamping and offers nanosecond or picosecond-level synchronization.

For 99% of the devices, NTP is good enough but if you have devices where millisecond-level synchronization is not good enough, PTP is another option (I have never seen it on a network btw).

Synce is something different. You can read an explanation here:

It’s used for frequency synchronization on certain networks.

Rene

(sreenath r) #20

Hi Rene,
Thanks for the information. Sorry to inform you that I have one more doubt as I am very new to networking .Does these protocols have any other role to control the speed of data transmission between two network nodes in the perspective of layer-1 . In ISP do we use any external clocking devices to control the signal transmission speed between networking nodes in the perspective of layer-1 or all the devices use only TCP sync to control data transmission from source to destination (layer -4)?

Thanks,
Sreejith.

(Rene Molenaar) #21

Hello Sreejith,

NTP and PTP are applications (layer 7 of the OSI model).

These two protocols are mainly used so that other applications have the correct time/date. Think of stuff like logging information or network management. You want to have the correct timestamps on your log lines, and you want it to be the same on all your devices.

Clocking for interfaces is usually done on layer 1. If you would do it on a higher layer, you get into a chicken and egg issue…

How can you use a clocking mechanism on let’s say layer 7 if layer 1/2/3/4/5/6 are not operational yet? :slight_smile:

Hope this helps!

Rene

(sreenath r) #22

Hi Rene,
Thanks for your reply . Now I understood about NTP and PTP. I just wonder about how about traffic(packet) flow inside of an ISP as I didn’t get chance to work\vision inside of it :wink: I know when we connect router’s serial interfaces we have to set one end as DTE and other as DCE(belongs to ISP) for layer 1 signal synchronization (for matching speed). Does internet service use any kind of external clocking devices along with routers or using routers hardware clocks ? I only know Ethernet is asynchronous we don’t need any external clock signal to carry data signal but Serial interfaces needs clocking signal to carry data , Could you please brief a little more about the needs of clocking signal (layer-1) in ISP environment(WAN).:slight_smile:
Thanks,
Sreejith

(Lazaros Agapides) #23

Hello Sreenath

Concerning the clocking mechanism for serial connections. This is a mechanism that is different from the clock on the device. The clock on the device is the actual current date and time.

The clocking signal or the clock rate on a serial connection is really just a method of stating how fast the bits will be sent on the circuit. It can also be viewed as the configured bandwidth on the serial connection. A clock rate of 9600 will send 9600 bits every second for example.

As you said, this clocking signal is usually sent by the ISP or the serial circuit provider as they are responsible for setting the bandwidth of the circuit based on the contract that you as a subscriber have set up with them.

I hope this has been helpful!

Laz

(blue B) #24

Hi Rene,

I would like some clarity on your statement when Corerouter goes down, SW1 and SW2 can update or synch each other’s clock by using the ntp peer feature. If the Corerouter is the NTP master and it gets it’s time from an external clock, does this mean NTP is still working for SW1 and SW2 eventhough there are no alternate NTP servers?

(Lazaros Agapides) #25

Hello blue

Keep in mind that NTP as a protocol is responsible for periodic verification and resyncing of device clocks. This means that if a device is synced today, it will most likely keep reliable time for several days, weeks or even more.

So in the example that concerns your question, if the Core device’s NTP configuration fails, and SW1 and SW2 can no longer sync with that device, they will still keep reliable time for the next while simply because their clocks are still functioning. NTP will still operate on SW1 and SW2, and they will be querying the Core device for NTP information, but no response will come since it is down. However, the two switches have the option, if it is configured, to at least remain synchronised with each other using the NTP peer feature, which is important especially for troubleshooting and for making sense syslog info.

I hope this has been helpful!

Laz

(Kevin W) #26

I seem to be having trouble with the NTP authentication. I have no problem configuring NTP using unicast, broadcast or multicast. However when I try to add authentication into my lab my NTP associations never go down. Also If i start the lab from scratch configuring authentication on the NTP server before adding any clients, then I add the clients without specifying a key the NTP association still comes up. Could someone take a look at my configs and tell me what I am doing wrong?

R1 NTP SERVER

ntp authentication-key 1 md5 1326343C3B 7
ntp authenticate
ntp trusted-key 1
ntp master

R2 NTP client

ntp server 10.1.1.1

Am I crazy or with the above config should R2 fail to make an NTP association? Thanks for any help you can provide!

(Rene Molenaar) #27

Hello Kevin,

NTP authentication can be confusing. With your configuration, no authentication occurs because the client isn’t configured for authentication. I did a quick lab with your configuration.

The server will send “regular” NTP packets without an MD5 hash. Once you change the ntp server command on the client, it works.

Before:

https://www.cloudshark.org/captures/c40ea3a2748b

After:

Client(config)#ntp server 192.168.1.1 key 1

https://www.cloudshark.org/captures/e016b1c2e8a8

Once the client wants to use authentication, the server responds with the same MD5 hash. It doesn’t let you prevent clients from using your NTP server.

Hope this helps!

Rene

1 Like
(Chris N) #28

Hi Rene

Does that mean that even once you configure an authentication key on the server, it will continue to accept plain-text clients anyway?

---

Also with the master command, where would you apply the ACL so it can talk to itself (127.127.7.1/127.127.1.1)

1 Like