Network Time Protocol
NTP is used to synchronize device clocks in the network. Clock synchronization
is important for correlating syslog messages and other security
features such as certificate-based encryption, routing protocol authentication
key expiration, time-based ACLs, and more. NTP runs over UDP port 123.
Time is tracked internally using universal coordinated time (UTC). You can
configure a time zone on the router to display the correct local time. Cisco
routers allow you to configure NTP to act as either a peer association or a
server association. In a peer association, the local system is able to either
synchronize to the other system, or the other system can synchronize to it. In
a server association, the local system can only synchronize to the remote
system.
Because time synchronization is a security-related feature, it is wise to
configure a router to authenticate NTP information coming from a peer or
server. This prevents an attacker from spoofing NTP packets to corrupt the
system clock. For added security, you can use an ACL to restrict the IP
address(es) with which the router can synchronize time.
Example 5-10 demonstrates configuration of an authenticated NTP server
with an NTP ACL. In this example, the router is only allowed to synchronize
with a server at 10.1.1.1 that shares the MD5 hashed key value my_ntp_key.
Example 5-10 Configuring Authenticated NTP
R2(config)#ntp authenticate
R2(config)#ntp authentication-key 1 md5 my_ntp_key
R2(config)#ntp trusted-key 1
R2(config)#ntp server 10.1.1.1 key 1
R2(config)#access-list 1 permit host 10.1.1.1
R2(config)#ntp access-group peer 1