


	More Testimonials >

Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!

CCNA Security / CCNP ISCW Tutorial:

Configuring The Network Time Protocol (NTP)

Chris Bryant, CCIE #12933

In the first installment of this CCNA Security tutorial on NTP, we discussed why having the correct, synchronized time on your network routers is so important.

Here, we'll look at how to get that synchronized time with the Network Time Protocol (NTP). At the conclusion of the previous installment, we were jus getting ready to begin our NTP config, and that's where we'll pick up now.

Setting The Clock And Configuring NTP

It's highly recommended that you use an NTP public timeserver as your NTP Master time source. If you use one of your network routers as an NTP Master, it's imperative that you use NTP authentication and/or ACLs to prevent routers outside your network from attempting to synchronize with your router.

Since this is a lab environment, we'll configure R1 as our NTP Master. R1 will serve as R3's NTP Server, and then we'll configure an NTP peering between R2 and R3. The router number serves as the last octet of each IP address in this lab.

CCNA Security Network Time Protocol Lab

Let's check the clock on R1.

R1#show clock
*10:05:18.097 UTC Mon Mar 1 1993

Ahh, let's not go back in time today...

R1#clock ?
set Set the time and date

R1#clock set ?
hh:mm:ss Current Time

R1#clock set 10:53:00 ?
<1-31> Day of the month
MONTH Month of the year

R1#clock set 10:53:00 23 ?
MONTH Month of the year

R1#clock set 10:53:00 23 April ?
<1993-2035> Year

R1#clock set 10:53:00 23 April 2008 ?
<cr>

R1#clock set 10:53:00 23 April 2008

Verify with show clock:

R1#show clock
10:53:02.599 EST Wed Apr 23 2008

Here are our NTP options:

R1(config)#ntp ?
access-group        Control NTP access
authenticate        Authenticate time sources
authentication-key Authentication key for trusted time sources
broadcastdelay      Estimated round-trip delay
clock-period        Length of hardware clock tick
master              Act as NTP master clock
max-associations    Set maximum number of associations
peer                Configure NTP peer
server              Configure NTP server
source              Configure interface for source address
trusted-key         Key numbers for trusted time sources

We're going to configure R1 as the NTP Master for our network, and set an authentication key of CCNP. Note that NTP authentication requires two commands - the authenticate command to enable authentication, then the authentication-key command to actually set the password. The only option for encryption is MD5, but you still have to specify it.

We'll continue this lab right after this important message!

I'm Paying It Forward Bigger Than Before.

My Famous CCNA Study Package Is Now $25.

Let's get this config started!

R1(config)#ntp master
R1(config)#ntp authenticate ?
<cr>

R1(config)#ntp authenticate
R1(config)#ntp authentication-key ?
<1-4294967295> Key number

R1(config)#ntp authentication-key 1 ?
md5 MD5 authentication

R1(config)#ntp authentication-key 1 md5 ?
WORD Authentication key

R1(config)#ntp authentication-key 1 md5 CCNP

On R3, the clock is set to 1993 as well.

R3#show clock
*10:12:50.193 UTC Mon Mar 1 1993

We'll configure R3 to use 172.12.13.1 as its NTP server, and set the authentication key of CCNP.

R3(config)#ntp server 172.12.13.1
R3(config)#ntp authenticate
R3(config)#ntp authentication-key ?
<1-4294967295> Key number

R3(config)#ntp authentication-key 1 md5 CCNP

Moments later, R3 reflects the correct time.

R3#show clock
15:00:05.463 UTC Wed Apr 23 2008

NTP does not generally work this quickly in real-world networks, so be patient!

Let's go to R2 and set up an NTP peering with R3, configuring ntp peer on R3 before heading for R2. This peering will not use authentication.

R3(config)#ntp peer 172.12.23.2

R2(config)#ntp peer 172.12.23.3

A few moments later, the peering is in place and R2 reflects the correct time.

R2#show clock
15:04:51.918 UTC Wed Apr 23 2008

The commands show ntp status and show ntp associations will verify your NTP configuration, The key phrase in show ntp status is "clock is synchronized".

R2#show ntp status
Clock is synchronized , stratum 10, reference is 172.12.23.3
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
reference time is CBB9CEC8.17FBD1B8 (15:05:44.093 UTC Wed Apr 23 2008)
clock offset is -0.6214 msec, root delay is 37.20 msec
root dispersion is 5.04 msec, peer dispersion is 0.53 msec

R2#show ntp associations

address ref clock st when poll reach delay offset
*~172.12.23.3 172.12.13.1 9 61 64 376 6.4 -0.62 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

The asterisk next to 172.12.23.3 indicates the NTP time server that the local router has synched up with. If you don't see at least one address with an asterisk next to it, there's a problem with your config.

(Remember to give NTP configs a few minutes to take effect and for synchronization to take place in real-world networks...sometimes more than a few minutes!)

As you saw earlier, there are quite a few NTP options - and while you certainly don't have to use all of them in your NTP config, there are a few I've found particularly helpful:

If we're fortunate enough to have NTP redundancy, a router may have more than one NTP server to choose from, and you may prefer one specific server over the other. Use the prefer option at the end of the ntp server command to specify a preferred NTP server.

R3(config)#ntp server 172.12.13.1 ?
key      Configure peer authentication key
prefer   Prefer this peer when possible
source   Interface for source address
version Configure NTP version
<cr>

R3(config)#ntp server 172.12.13.1 prefer

Another NTP command related to authentication is ntp trusted-key, which simply specifies the valid NTP key number(s).

R3(config)#ntp authenticate
R3(config)#ntp authentication-key 1 md5 CCNP
R3(config)#ntp trusted-key ?
<1-4294967295> Key number

R3(config)#ntp trusted-key 1 ?
<cr>

R3(config)#ntp trusted-key 1

When you set an NTP key number, that router will only synch with other routers using that exact key number.

Finally, if you want to limit the overall number of NTP peers and clients your router can associate with, use the ntp max-associations command.

R3(config)#ntp max-associations ?
<0-4294967295> Number of associations

I hope you enjoyed this CCNA Security exam tutorial! There are over 350 Cisco CCNA and CCNP tutorials waiting for you on our Tutorials page...

... and as always, thanks for making The Bryant Advantage part of your certification studies!

Chris Bryant

CCIE #12933

"The Computer Certification Bulldog"

I'm Paying It Forward Bigger Than Before.

My Famous CCNA Study Package Is Now $25.

Get CCNA Security Certified Today - For $20.

The Ultimate CCNA Study Package | The Ultimate CCNA Study Guide

Binary Math And Subnetting Mastery

Cisco Rack Rentals

CCNP BSCI Exam Study Package

CCNP BCMSN Exam Study Package

CCNP BCRAN Exam Study Package

CCNP CIT Exam Study Package | CCNP BSCI Exam Study Guide

CCNA CBT Video Boot Camp | CCNP BSCI Video Boot Camp

Cisco Training Tutorials And Cisco Certification Articles

CCNP CBT BCMSN Video Boot Camp | CCNP CBT BCRAN Video Boot Camp

CompTIA Network+ Exam Study Package

CompTIA Security+ Exam Study Package

CompTIA A + Certification Exam Study Package

CCNA Training Store | CCNP Certification Training Store

CompTIA Certification Training Store

Cisco Lab Router And Switch Home Lab Help

Site Map | Home Page | Testimonials

Microsoft Windows Vista Certification Updates And News

The Bryant Advantage Blog | About Chris Bryant, CCIE #12933