Cisco Network Time Protocol (NTP)

Hello Guy!

The first complete specification of NTP, that is, Version 1, appeared in 1988 (RFC 1059) which provided simple symmetric and client server mode operation.

Version 2 appeared in 1989 (RFC 1119) and added symmetric key authentication using DES-CBC.

Version 3, which is the version that is most used today was first described in 1992 (RFC 1305) and has been systematically improved over the years. It introduced formal correctness principles, revised algorithms and broadcast mode . This is the default version that is available in most Cisco devices using the 12.X IOS version, and the recommended minimum version you should use.

Version 4 extends the support of NTP to IPv6 and is available on any Cisco device that supports IPv6.

I hope this has been helpful!

Laz

Hello Laz,
A few questions.

  1. Let’s say I have a router that is configured to receive the ntp information from a ntp server located in the internet. I have also configured the time locally by using clock set command. Which time will have more preference? In another words, which time the router will use?
  2. What is the command to change time-zone in a router?
  3. Let’s say a router is configured to sync its time from a ntp server and the ntp server is feeding UTC time to the router. However, I like the router to show EST time in the clock or let’s say in syslog message as well. How can I do it?
  4. What is the difference between hardware and software clock in a router/switch?

Thank you so much as usual for your great help .

Best Regards,
Azm Uddin

Hello AZM

**Question 1**
When NTP is configured on a device, there is what is called a poll interval. This interval is dynamic and as client and server become better synced, and there aren’t any dropped packets, this interval increases to a maximum of 1024 seconds. If you change the time using the clock set command, the time you set will become the new time. However, when the poll interval is exhausted, the device will re-sync with the NTP server. So any changes you make manually will be over-ridden at the next poll interval.

**Question 2**
To change the time zone of a router, use the clock timezone _zone hours-offset _ command where

* zone is the name of the zone to be displayed - this is just a label that you can define
* hours-offset is how many hours difference from UTC

You can find more information about this command here.

**Question 3**
NTP always communicates time in UTC. If you have a time zone configured on your Cisco device and it is configured as an NTP client, then it will receive the time in UTC and will convert the clock to the local time zone. However, SYSLOG messages will always indicate UTC time by default, even if you have configured a different time zone. In order to have SYSLOG messages display the local time instead of UTC time, you can achieve this with the following command: service timestamps log datetime localtime

**Question 4**
The hardware clock of a Cisco device is a hardware chip on the motherboard of the device with a rechargeable backup battery. The hardware clock functions separately from the software clock and its main purpose is to retain the time and date information after a reboot or an extended period of time where the device is powered down.

The software clock is the clock that functions during normal operation. It is maintained in memory using the CPU as a “timekeeper”. It is this clock that can be updated and synchronised with an NTP server on the network.

These two clocks work together to maintain the most accurate time. The software clock can be updated periodically from NTP, and it in turn updates the hardware clock at regular intervals. When the device is rebooted, the software clock is synchronised with the hardware clock to obtain its initial time when it begins to function.

The two clocks can be managed separately however. More information about related commands can be found here.

I hope this has been helpful!

Laz

Hi Rene,

Could you please brief about the comparison/differences of NTP , PTP and Sync E. Are n’t all the three protocols use for time Synchronization ? Do these sync protocols use for layer 1 signaling transmission like TDM ? Do we have any other usage of these protocols in real environment ( internet ) apart from tracking logging information ?

Hi all,

Q regarding the authentication section:
Is “CoreRouter(config)#ntp authenticate” needed for the switches to authenticate the ntp updates from the core router. I believe - not? With that configuration on the CoreRouter, won’t that make the router seek authentication for the updates from the pool.ntp.org?

Cheers,
V.

Hi Sreenath,

NTP and PTP have some similarities. NTP is the most common protocol to sync clocks on your network, that’s what you will mostly see on networks nowadays. We use it to sync the clock on network devices but also computers/servers etc. NTP uses software timestamping and supports millisecond synchronization.

PTP is similar to NTP but uses hardware timestamping and offers nanosecond or picosecond-level synchronization.

For 99% of the devices, NTP is good enough but if you have devices where millisecond-level synchronization is not good enough, PTP is another option (I have never seen it on a network btw).

Synce is something different. You can read an explanation here:

It’s used for frequency synchronization on certain networks.

Rene

Hi Rene,
Thanks for the information. Sorry to inform you that I have one more doubt as I am very new to networking .Does these protocols have any other role to control the speed of data transmission between two network nodes in the perspective of layer-1 . In ISP do we use any external clocking devices to control the signal transmission speed between networking nodes in the perspective of layer-1 or all the devices use only TCP sync to control data transmission from source to destination (layer -4)?

Thanks,
Sreejith.

Hello Sreejith,

NTP and PTP are applications (layer 7 of the OSI model).

These two protocols are mainly used so that other applications have the correct time/date. Think of stuff like logging information or network management. You want to have the correct timestamps on your log lines, and you want it to be the same on all your devices.

Clocking for interfaces is usually done on layer 1. If you would do it on a higher layer, you get into a chicken and egg issue…

How can you use a clocking mechanism on let’s say layer 7 if layer 1/2/3/4/5/6 are not operational yet? :slight_smile:

Hope this helps!

Rene

Hi Rene,
Thanks for your reply . Now I understood about NTP and PTP. I just wonder about how about traffic(packet) flow inside of an ISP as I didn’t get chance to work\vision inside of it :wink: I know when we connect router’s serial interfaces we have to set one end as DTE and other as DCE(belongs to ISP) for layer 1 signal synchronization (for matching speed). Does internet service use any kind of external clocking devices along with routers or using routers hardware clocks ? I only know Ethernet is asynchronous we don’t need any external clock signal to carry data signal but Serial interfaces needs clocking signal to carry data , Could you please brief a little more about the needs of clocking signal (layer-1) in ISP environment(WAN).:slight_smile:
Thanks,
Sreejith

Hello Sreenath

Concerning the clocking mechanism for serial connections. This is a mechanism that is different from the clock on the device. The clock on the device is the actual current date and time.

The clocking signal or the clock rate on a serial connection is really just a method of stating how fast the bits will be sent on the circuit. It can also be viewed as the configured bandwidth on the serial connection. A clock rate of 9600 will send 9600 bits every second for example.

As you said, this clocking signal is usually sent by the ISP or the serial circuit provider as they are responsible for setting the bandwidth of the circuit based on the contract that you as a subscriber have set up with them.

I hope this has been helpful!

Laz

Hi Rene,

I would like some clarity on your statement when Corerouter goes down, SW1 and SW2 can update or synch each other’s clock by using the ntp peer feature. If the Corerouter is the NTP master and it gets it’s time from an external clock, does this mean NTP is still working for SW1 and SW2 eventhough there are no alternate NTP servers?

Hello blue

Keep in mind that NTP as a protocol is responsible for periodic verification and resyncing of device clocks. This means that if a device is synced today, it will most likely keep reliable time for several days, weeks or even more.

So in the example that concerns your question, if the Core device’s NTP configuration fails, and SW1 and SW2 can no longer sync with that device, they will still keep reliable time for the next while simply because their clocks are still functioning. NTP will still operate on SW1 and SW2, and they will be querying the Core device for NTP information, but no response will come since it is down. However, the two switches have the option, if it is configured, to at least remain synchronised with each other using the NTP peer feature, which is important especially for troubleshooting and for making sense syslog info.

I hope this has been helpful!

Laz

I seem to be having trouble with the NTP authentication. I have no problem configuring NTP using unicast, broadcast or multicast. However when I try to add authentication into my lab my NTP associations never go down. Also If i start the lab from scratch configuring authentication on the NTP server before adding any clients, then I add the clients without specifying a key the NTP association still comes up. Could someone take a look at my configs and tell me what I am doing wrong?

R1 NTP SERVER

ntp authentication-key 1 md5 1326343C3B 7
ntp authenticate
ntp trusted-key 1
ntp master

R2 NTP client

ntp server 10.1.1.1

Am I crazy or with the above config should R2 fail to make an NTP association? Thanks for any help you can provide!

Hello Kevin,

NTP authentication can be confusing. With your configuration, no authentication occurs because the client isn’t configured for authentication. I did a quick lab with your configuration.

The server will send “regular” NTP packets without an MD5 hash. Once you change the ntp server command on the client, it works.

Before:

https://www.cloudshark.org/captures/c40ea3a2748b

After:

Client(config)#ntp server 192.168.1.1 key 1

https://www.cloudshark.org/captures/e016b1c2e8a8

Once the client wants to use authentication, the server responds with the same MD5 hash. It doesn’t let you prevent clients from using your NTP server.

Hope this helps!

Rene

1 Like

Hi Rene

Does that mean that even once you configure an authentication key on the server, it will continue to accept plain-text clients anyway?

---

Also with the master command, where would you apply the ACL so it can talk to itself (127.127.7.1/127.127.1.1)

1 Like

I am wondering the same thing as Chris. If anyone has any explanation please let us know!

Thanks,
Scott

Hello Chris

Based on the following Cisco documentation, a device will drop any packets that fail the authentication check and prevent them from updating the local clock.

However, the configured authentication only restricts the NTP client from accepting the synchronisation or not. If another NTP client without authentication attempts to connect and synchronise, it will be able to. The authentication check is always done on the client side.

So if you were to configure this in the CoreRouter, you would have to add the following command:

CoreRouter(config)#ntp master
CoreRouter(config)#access-list 1 permit 127.127.7.1
CoreRouter(config)#ntp access-group peer 1

I hope this has been helpful!

Laz

Hi Rene,

I have a small doubt regarding NTP packets exchange.Here is my topology

NTP

I have configured R1 has my NTP Server using NTP Master command.

R1 configuration:

ntp master
access-list 1 permit 127.127.7.1
ntp access group peer1

R2 configuration:

ntp server 192.168.123.1

R3 configuration:

ntp server 192.168.123.1

My Question:

when i tired to check clock synchronization status on R2 and R3 using ntp association and ntp status.

My clock was not getting synchronized on both R2 and R3.When i tried to perform debug ntp packets on R1.i can see ntp packets are sent from r1 to ntp server there was no reply from ntp server.I have checked whether any ACL is blocking the return packets from ntp server.but there is no acl configured.But when i configured R2 and R3 as ntp clients allowed to get updates from NTP server .my clock got synchronized

My Question:

Do we need to permit R2 and R3 through ACL on R1 (NTP Server) to get the clock synchronized ?

R2(config)#do sh ntp association

      address         ref clock     st  when  poll reach  delay  offset    disp
 ~192.168.123.1    0.0.0.0          16     -    64    0     0.0    0.00  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

R3#show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
 ~192.168.123.1    0.0.0.0          16     -    64    0     0.0    0.00  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

NTP Debug packets;

R2#
*Mar  1 00:44:47.755: NTP: xmit packet to 192.168.123.1:
*Mar  1 00:44:47.755:  leap 3, mode 3, version 3, stratum 0, ppoll 64
*Mar  1 00:44:47.755:  rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
*Mar  1 00:44:47.759:  ref 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
*Mar  1 00:44:47.759:  org 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
*Mar  1 00:44:47.759:  rec 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
*Mar  1 00:44:47.759:  xmt C0294D7F.C17FCA1C (00:44:47.755 UTC Fri Mar 1 2002)

After adding the below ACL on R1 my clock ot synchronized

core-router(config)#ntp access-group serve-only 12
core-router(config)#access-list 12 permit 192.168.123.2
core-router(config)#access-list 12 permit 192.168.123.3

Hello Ganesh

It is not necessary to have an ACL on the clients in order to get NTP to sync. If you have no ACLs set on any of the devices, the syncing will function just like it shows in the lesson. However, if you enable the ntp access-group peer X command, even if it is to enable the loopback address of 127.127.7.1, and to configure the stratum, then you must add the ntp access-group serve-only Y command in order to specify from which clients you will accept NTP requests.

I hope this has been helpful!

Laz

Hi Las,

Thanks for the provide information.my questions do we need to allow the R2 and R3 ip on NTP server R1 through ACL.my clock was not getting synchronised at all after adding R2 and R3 has clients to NTP server through ACL my clock synchronised.