Cisco Network Time Protocol (NTP)

Hi Laz,

I am unable to understand Remote authentication and Local authentication use here , can you explain this why are we using ?

Hello Pradyumna

I’m not sure to which lesson you are referring to. Can you clarify?

Laz

Hello Rene/Laz:

If I config ntp master 8 in one router and this router cannot find any server with stratum less of 8, it will synchronize with its own clock or still can synchronize with a server with stratum higher than 8? Can you help me with this question? Thanks in advance!!

Hello Ovaldo

Yes, that is correct. If you configure a device as master with a stratum of 8, then it will only synchronize itself with other devices of stratum 8 or lower. Remember that the stratum system is used in something like a spanning tree, so that there are no syncrhonization loops taking place. This configuration simply says that the device considers its own internal clock “closer” to a stratum 0 device than any device with a stratum value higher than its own.

I hope this has been helpful!

Laz

1 Like

Hey everyone,

I’ve configured the following topology for NTP:

image

The NTP details for Router A look normal:

However Router B (which I’ve configured to use Router A as the NTP server) things look a bit weird:

The Stratum I would have expected to be 2 (since it’s one more hop away from the NTP server), however it’s showing as 0. And the Reach is showing as 0, even though the time is synced.

Any idea why this might be?

Thanks for your help!

Hello Louis

It looks like router B has not synchronized, since it is still in the INIT state under the ref clock heading. You can also see that the reach is 0 which means it hasn’t received any NTP packets, and the disp. is also very high. All of this seems to indicate that it has not successfully synced with the server.

The strange thing is that it does show a stratum of 0 and a * at the beginning, which seem to be contradicting the rest of the data.

I suggest you troubleshoot NTP connectivity to the server, and once you get connectivity, I believe the issues will be resolved. Take a look at this Cisco documentation, as it may be helpful to you.

I hope this has been helpful!

Laz

Hello guys,
I would like to know whether it is possible to setup NTP via DHCP. I am using simple topology as below where R1 is setup as NTP server and is getting its time from pool.ntp.org. There is DHCP pool on R1 which provides IP address for LAN (where SW1 resides). Quick google says that there is Option 42 in DHCP - this option carries the NTP servers used on the network. I configured “option 42 ip 192.168.10.1” - 10.1 is IP on R1 fa0/0. IP address on SW1 was assigned via DHCP but not the time.

Thanks for help,
Peter

Hello Peter

The configuration of the DHCP server to send option 42 is quite simple, as you have configured it. However, how a client receives this information depends on various factors. For Cisco devices, if you configure them as DHCP clients, not all IOS versions support the use of Option 42.

For example, according to this Cisco Community Thread, TAC (Cisco support) seems to have responded that IOS 15.2(2) doesn’t support option 42 as a DHCP client.

Now in order to receive the appropriate DHCP option, you must use the ip dhcp client request command in configuration mode of the interface which you are configuring as a DHCP client. Looking at a Cisco CSR running 15.7(3) as an example, I get the following options for this command:

R1(config-if)#ip dhcp client request ?
  classless-static-route       Classless static route (121)
  dns-nameserver               DNS nameserver (6)
  domain-name                  Domain name (15)
  netbios-nameserver           NETBIOS nameserver (44)
  router                       Default router option (3)
  sip-server-address           SIP server address (120)
  static-route                 Static route option (33)
  tftp-server-address          TFTP server address (150)
  vendor-identifying-specific  Vendor identifying specific info (125)
  vendor-specific              Vendor specific option (43)
  <cr>

R1(config-if)#

Notice that none of them are NTP option 42, so it seems this device and IOS don’t support it.

For Cisco IOS XE 16.11, this Cisco documentation seems to indicate that it is supported, as it gives you the option of specifying DHCP option 42.

In any case, you will have to see the platform and IOS version of the switch, and see if it accepts the DHCP option for NTP.

I hope this has been helpful!

Laz

Hi,

I have a question about NTP.
If the NTP server is in a different timezone.
And you use this NTP server on your switch to sync the time.
Is that going well or do you need to do additional configuration?
So that logging timestams and the clock are the same?

Hello Ronald

Authoritative NTP sources that are found on the Internet always use Coordinated Universal Time (UTC) regardless of where on Earth they are located. UTC is essentially the same as Greenwich Mean Time (GMT).

Each Cisco device that wants to synchronize with an NTP source is configured with the timezone in which it is located. (By default, the timezone is set to UTC). Now you can configure the timezone using the clock timezone command. Whenever a Cisco device synchronizes with an NTP source, it makes the necessary adjustments to the time to ensure the correct time zone is calculated. For this reason, it is important to correctly configure the timezone so that the NTP synchronization is done correctly.

More information about this command can be found here:

I hope this has been helpful!

Laz

hey rene ,
i didnt understand how the topology work’s when you have one interface connected to two switches ?

Hello Itzhak

Whenever you see a topology similar to this:


…it simply means that the Fa0/0 interface on the Core, and the Fa0/24 interfaces on the switches are on the same subnet. You can imagine that an unmanaged switch exists there connecting all three devices to the same broadcast domain/network segment. As you can see, all of the interface IP addresses indicate that they are indeed on the same subnet.

I hope this has been helpful!

Laz

hey lazaros ,

thanks for the comment ,
i tried to build the topology again but it doesn’t match to the output of the configuration of the devices in my topology ,
im also tried to work on the HSRP lab and i didn’t understand what to configure when there R1 device in there ,
if there’s any option that you can send the lab’s so i can see how it look like or another option that you think of that would really help.

thank again ,

itzhak.

‫בתאריך יום ג׳, 2 במרץ 2021 ב-13:43 מאת ‪Lazaros Agapides via NetworkLessons.com Community Forum‬‏ <‪forum@networklessons.com‬‏>:‬

Hello Itzhak

Most lessons have a section where you can see the configurations used by Rene. You can use those as a guideline to create your topologies and configure your labs. If you have specific questions about the labs, about particular commands or behaviors that you experience in your topology, please share them in more detail so we can help you specifically.

I hope this has been helpful!

Laz

Hello,

you dont need to make Core Router as NTP server (with ntp master command) to the SW because you are pointing from it to an NTP server already (pool.ntp.org) ?
If you were not pointing to another NTP server you need to make it NTP server to be able to serve NTP to the clients (switches) ?

Is that correct?

Thank you
Regards

Hello Alexis

When you configure a network device, such as the Core Router in this lesson, to operate as an NTP server, you don’t actually have to explicitly configure it as a server. The fact that the switches are configured with the command ntp server 192.168.123.3 makes the Core Router the NTP server, and the switches the NTP clients.

The ntp server pool.ntp.org command configured on the Core Router actually makes this device an NTP client to the pool.ntp.org server, but at the same time it retains the role of NTP server for the switches.

Now the master command is simply used to let a device know to consider its own clock as valid, and it is also used to manually set a stratum number for this NTP source. This way, clients of this device will adopt their stratum number based on the locally configured one. This type of configuration means that no external NTP sources are used for synchronization.

I hope this has been helpful!

Laz

following the below attachment topology i am not able to make r2,r3 to be synchronized on gns3? any suggusetion? i tried almost all the combinations, sw3 point to r1 , then the remaining switches point to the others… , r1 as master, nothing again, then peering nothing…

https://uniwagr-my.sharepoint.com/:u:/g/personal/cse30244_uniwa_gr/EYOeop7OOs9Ho03eRw54ePMBHeRAQk9aX4ZMAXsC4ivvcA?e=7umsHP

Hello Konstantinos

There may be many different reasons for synchronization not taking place in an NTP environment. Although I am not able to take a look at your particular topology, you can use some of the principles found in the following comprehensive Cisco troubleshooting guides for NTP:

Now having said that, some of the most common issues that involve NTP include connectivity, stratum numbers too high, or misconfiguration with clock time zone or clock summer time commands.

Go through the troubleshooting process and let us know how you get along. Share some of your debugs and outputs with us so we can help you further if you have not resolved the issue.

I hope this has been helpful!

Laz

Hi!
In the current network I support, all Cisco devices (routers, switches, and firewalls) point to the domain controllers (Windows NTP server) to sync time. Now that we are hardening our posture to be more aligned with security best practices, we must configure NTP authentication keys on every network device so that the communication between the NTP client and server is authenticated. Is it possible to achieve md5 authentication on the Windows NTP server between Cisco devices? If so, how do you configure the md5 key on the windows server?

Hello Shannon

After doing a bit of research, I have found that, unfortunately, the Windows NTP server, which uses Windows Time Service (W32Time), does not natively support MD5 authentication for NTP as Cisco devices do. If you want to use MD5 you will have to look for another NTP server solution such as using a Linux server with the NTP daemon “ntpd.”

I hope this has been helpful!

Laz

1 Like