Great !!! Thanks a lot as usual.
1 Like
Hi Rene,
Can you please explain NTP Symmetric Active & Passive Mode?
Also please explain Timestamp calculations in NTP.
Hello Siji
Symmetric Active/Passive mode is a mode of association between NTP servers. There are two other modes available, specifically, the Client/Server mode and the Broadcast mode.
Cisco gives a comprehensive explanation of the Symmetric Active/Passive mode (and the other available modes) at the following link:
Timestamp calculations for NTP are used by the associated algorithms to adjust the time of the client clock to align with the time of the server clock. The 64-bit timestamps used by NTP consist of a 32-bit part for seconds and a 32-bit part for fractional second, giving a time scale that rolls over every 2^32 seconds (136 years) and a theoretical accuracy of down to 2^-32 seconds (233 picoseconds).
NTPv4 introduces an improvement on this with a 128-bit date format: 64 bits for the second and 64 bits for the fractional-second resolving any issues involved with rollover ambiguity.
I hope this has been helpful!
Laz
1 Like
Thanks a lot . I will check the Cisco explanation.
1 Like
Hey, Rene mentions that:
âAuthentication is great but there is still one security problem to tackle. A NTP server will serve updates to any NTP client and a NTP client will accept any IP address as the NTP server.â
About the first part of the sentence:
I get that an NTP Server will serve updates to any NTP Client that is configured to use him.
About the second part of the sentence:
- How is it possible that an NTP Client will accept any IP Address as the NTP Server if when we
configure an NTP Client to use an NTP Server we use the command#ntp server x.x.x.xwhere the x.x.x.x is the IP Address of the server. - If we enabled authentication on the switches so they wonât accept NTP updates from any NTP Server that has IP 192.168.123.3 configured, - WHY do we need Access-Lists too?
- If we use authentication we donât need to use access-control (and vice versa)? and if we need both, then why?
Thanks in advance, Inon.
if we use ântp server 192.168.123.3â , what is the benefit to use
SW2(config)#access-list 3 permit 192.168.123.3
SW2(config)#ntp access-group peer 3
both commands implement the same issue ?
Hi,
when I type the command ntp server pool.ntp.org is the hostname dns translated in the moment the command is inserted, so the result is the same as if the inserted command was ntp server 193.204.114.233 (say in that moment pool.ntp.org resolves with that ipv4 addr)?
Do the same happen when i insert a hostname in an ACL?
Best
Pietro
Hi Guys,
I am wondering how can I authenticate NTP multicast and broadcast ?
I set NTP multicast key on interface, plus the usual NTP authenticate and NTP authentication trusted key.
By looking at the debug I see that authentication is passing, but clock is not being synced.
Have I missed something ?
Thanks,
Peter
Forgot to mention,
sh ntp association is empty
Hello Peter
If the authentication is passing, but your NTP association is empty, then the problem may not be with your authentication. Try removing any authentication commands and see if you are syncing correctly. If so, then put the command back in and then do a debug on both server and client using the following debug commands:
debug ntp auth
debug ntp sync
debug ntp events
debut ntp packet
From these you should see the reason why the authentication is failing (if it is indeed failing) and to see why no associations are appearing.
I hope this has been helpful!
Laz
Great explanation Rene!
Having a scenario where I have a ntp server and a ntp client:
What would happen if my 2 clocks (software and calendar) are no synchronized? I mean if I donât apply the command ntp update-calendar?
From my point of view, It does not matter because after rebooting, the software clock first update its information with the calendar but then synchronize with the ntp server. So after all it has the ntp server information.
Secondly, I have ntp configuration here in my office with but I have some doubts.
This is the config of mi router
ntp
server 10.11.11.7 prefer
server 10.11.11.11 prefer
source Loopback1
Show ntp associations
RP/0/RSP0/CPU0:ROUCGNCDE1#show ntp associations
Thu Jul 25 17:07:04.240 PYST
address ref clock st when poll reach delay offset disp
*~10.11.11.11 10.148.18.20 7 372 512 377 8.96 8.514 15.802
+~10.11.11.7 10.129.4.176 6 338 512 377 8.97 7.202 15.814
* sys_peer, # selected, + candidate, - outlayer, x falseticker, ~ configured
Show ntp status
RP/0/RSP0/CPU0:ROUCGNCDE1#show ntp status
Thu Jul 25 17:08:31.528 PYST
Clock is synchronized, stratum 8, reference is 10.11.11.11
nominal freq is 1000.1530 Hz, actual freq is 1000.1436 Hz, precision is 2**10
reference time is E0E49703.66B1C806 (17:00:51.401 PYST Thu Jul 25 2019)
clock offset is 8.514 msec, root delay is 149.841 msec
root dispersion is 269.33 msec, peer dispersion is 15.80 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.0000094287 s/s
system poll interval is 512, last update was 460 sec ago
Could you tell me why my device prefer the 10.11.11.11. (stratum 7) server than the 10.11.11.7(stratum 6) being that the stratum is Worst (7)
In the show ntp association I have the + sign in front of 10.11.11.7. What is the meaning of that?
Hello Rodrigo
Just so you know, I edited your post so that the config and the NTP associates table appears correctly, otherwise the columns were off and it was very difficult to read. 
You are correct that the software clock will be synchronized with NTP so it doesnât really matter what the hardware clock says. The purpose of the hardware clock is to be a source of time synchronization when the device is rebooted. Using an internal battery, the hardware clock gives the initial time to the software clock after bootup. Itâs a good idea however to make sure that the hardware clock is synchronized. This will keep a level of time accuracy in the event of a reboot and a loss of connectivity to the NTP server, as unlikely as such events occurring simultaneously may be.
You can configure the hardware clock to be periodically updated using NTP just to be sure that synchronization will be maintained even after a reboot. For more info about this, take a look at the following Cisco documentation:
As for your second question, the clock synchronization algorithm used by NTP and the process by which it chooses the time source it will use can become quite complex.
If you want to get into the details of the sync algorithm take a look at this link: (I donât usually post Wikipedia articles, but this is well done so there you go.) Itâs more detail than you need for certification but itâs interesting and can be helpful to know.
Now during the execution of the algorithm, all of the NTP sources are examined, until up to three candidate sources remain. (This is what the â+â means in the output, that this server, in the running of the NTP algorithm, was a final candidate.) From those, based on various parameters such as delay, latency, and offset.
Keep in mind that the stratum number represents the distance from the reference clock and is used to prevent cyclical dependencies in the hierarchy. Stratum is not always an indication of quality or reliability and it is common to find that you may have a stratum 7 source preferred over a stratum 6 source, as is the case with your network.
So your result is not in error, but is based on various parameters beyond just the stratum.
I hope this has been helpful!
Laz
1 Like
Awesome explanation! Thank you so much
1 Like
Hi,
Let say we have two ntp servers with the following IP addresses and stratum levels.
NTP Server-1 : 192.168.1.1 (Stratum 1)
NTP Server-2 : 192.168.1.2 (Stratum 2)
In my NTP client I have the following settings
Switch(config)# ntp server 192.168.1.1
Switch(config)# ntp server 192.168.1.2 prefer
So in this case client will be synchronized to NTP Server-1 or NTP Server-2 ? Prefer keyword overrides the rule of connecting always to a lower stratum server?
Thanks
Hello Fatih
First of all, although the stratum is important in the process of determining which device will be used for time synchronization, it is not the only criterion. The algorithm is quite complex, and it can result in a stratum 2 server being chosen over a stratum 1 server. Other criteria are also taken into account such as jitter, delay and so on. So you can have a stratum 2 device on your LAN and also a stratum 1 device on the internet, and your NTP client may choose the stratum 2 device even without the âpreferâ keyword. Take a look at this post for more details.
However, with the prefer keyword, that NTP server will indeed be preferred over the others. If it is reachable, then it will be chosen as the server to which the client will be sychronized.
I hope this has been helpful!
Laz
Hello
I need help for understanding NTP authentication. Are the NTP server, client and peer operating modes that the trusted-key command should be configured on for authentication to operate properly? What about NTP broadcast/multicast?
Thanks
Hello Boris
For the client server modes, NTP authentication involves configuring a trusted key on the server, and a corresponding key on the clients as well. Here it is the clients that authenticate the server. If you configure the server but do nothing to the clients, they will accept the NTP packets as they are, even though the server is sending authentication information. In the lesson, Rene shows how the clients can be configured to authentication the server. Note that the clients also include the ntp server <ip address> key <key_number> command, which specifies which server should be authenticated.
For NTP peers, the configuration is almost the same except that the command is now ntp peer <ip address> key <key_number> which indicates that the specific peer should be authenticated.
As for NTP broadcast mode, it is always best practice to enable authentication. When you configure NTP broadcast client mode (as opposed to NTP static client mode), the device is configured to passively listen for NTP broadcasts. You can apply authentication to this as well in the same manner as done in the client/server modes.
I hope this has been helpful!
Laz
1 Like
Hello Laz
Thanks a lot.
1 Like
Hello Laz,
I have following NTP related configuration on server.
ntp authentication-key 1 md5 045802150C2E 7
ntp authenticate
ntp trusted-key 1
ntp master 1
int eth1/1
ntp broadcast key 1
On Client:-
int eth1/1
ntp broadcast client
I have not manually configured any ntp server ip on the client.
Client is able to synchronize its clock with the server. While I have not configured any key on the client.
According to my understanding :-
To synchronize a client with server, a client will need the same key as has been configured on the server.
How client was able to synchronize with server without the key ?
Thanks,
Sachin
Hello Sachin
Take a look at this post.
If you have further questions let us know!
I hope this has been helpful!
Laz