Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Clock Synchronization Using NTP

Ensuring that consistent time information be distributed throughout the network is an important accomplishment. Correct timing not only makes event logs and management data more meaningful, but also brings the possibility of using accounting records for auditing tasks and enabling features (such as time-based ACLs) on specific periods.

The clock on a Cisco device might be set up manually using the clock set exec-level command. Nonetheless the recommended method for time synchronization is through the use of the NTP.

Because of the potential adverse effects that incorrect time information might have on network availability and manageability, it is advisable that network and security administrators do whatever they can to guarantee that only authorized synchronization sources are used. Although NTP supports both plain-text and hash-based (MD5) authentication options, the MD5 method is doubtlessly the preferred one.

Figure 3-8 depicts the reference topology for the analysis of NTP operation using MD5 Authentication. Example 3-26 assembles the configuration commands of an IOS NTP Server that was employed to synchronize a set of NTP clients. For a better understanding of this scenario, you should pay attention to the following details:

  • NTP clients authenticate packets received from servers. This is reflected in that the ntp authenticate command is configured only on the client side.
  • The ntp trusted-key command is necessary to activate a key configured with the ntp authentication-key command.
Figure 3-8

Figure 3-8 Reference Topology for NTP Analysis

Example 3-27 illustrates a classic client-side debug. It also shows how to verify the synchronization status on a certain device and the details associated with the source of clock data. (The commands used in this example are equally valid for ASA and IOS.)

Example 3-26. NTP Baseline Configuration

! NTP Server Configuration on IOS
ntp master 4
ntp authentication-key 1 md5 *****
ntp peer 192.168.1.21 key 1
ntp peer 192.168.1.23 key 1
ntp peer 192.168.1.25 key 1
!
! NTP configuration on ASA (server is reachable through logical interface "mgmt")
ASA1# show running-config ntp
ntp authentication-key 1 md5 *****
ntp authenticate
ntp trusted-key 1
ntp server 192.168.1.100 key 1 source mgmt
!
! NTP Configuration on IOS (including Catalyst 6500)
CAT6500B# show running-config | include ntp
ntp authentication-key 1 md5 *****
ntp authenticate
ntp trusted-key 1
ntp source Vlan1100
ntp server 192.168.1.100 key 1

Example 3-27. NTP Operation

! A typical debug on the client side (valid for IOS and ASA)
NTP: 
rcv packet from 192.168.1.100  to 192.168.1.25 on Vlan1100:
leap 0, mode 4, version 3, stratum 4, ppoll 64
rtdel 0000 (0.000), rtdsp 0002 (0.031), refid 7F7F0701 (127.127.7.1)
 ref CEAFDBC4.50C27B03 (11:59:16.315 BRT Thu Nov  19 2009)
 org CEAFCD40.7E7F03DF (10:57:20.494 BRT Thu Nov  19 2009)
 rec CEAFDBD2.6C4177F8 (11:59:30.422 BRT Thu Nov  19 2009)
 xmt CEAFDBD2.6C54908E (11:59:30.423 BRT Thu Nov  19 2009)
 inp CEAFCD40.7F0D7366 (10:57:20.496 BRT Thu Nov  19 2009)
 NTP: synced to new peer 192.168.1.100
!
! Verifying if the clock is already synchronized (valid for IOS and ASA)
ASA1# show ntp status

Clock is synchronized, stratum 5, reference is 192.168.1.100
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is ceafcf15.f87ff739 (11:05:09.970 BRT Thu Nov  19 2009)
clock offset is -31.4958 msec, root delay is 36.30 msec
root dispersion is 1923.63 msec, peer dispersion is 1892.09 msec
!
! Verifying the source of timing information (valid for IOS and ASA)
ASA1# show clock detail
11:05:46.460 BRT Thu Nov 19 2009
Time source is NTP

Example 3-28 documents that FWSM receives its timing information from the Catalyst 6500 chassis. If the underlying 6500 is synchronized through NTP, FWSM displays NTP as its time source.

Example 3-28. Specific Considerations for the FWSM

! Time information obtained from the Catalyst chassis (which uses NTP)
FWSM2# show clock  detail
12:42:56.570 BRT Thu Nov 19 2009
Time source is NTP
!
! There is no NTP option on the FWSM CLI
FWSM2# show ntp ?
ERROR: % Unrecognized command
!
FWSM2(config)#ntp ?
ERROR: % Unrecognized command
  • + Share This
  • 🔖 Save To Your Account