NTP Server Configuration

NTP Server Configuration

Problem

You want to configure the NTP server to provide time to your routers.

Solution

To configure an NTP server to provide time to your network, use the commands in Example 14-1.

Example 14-1. /etc/ntp.conf

#Define NTP Servers
#
server 10.1.1.1
server 10.2.2.2
server 10.3.3.3
#
#Define Access Control
restrict 10.1.1.1 nomodify notrap nopeer noquery
restrict 10.2.2.2 nomodify notrap nopeer noquery
restrict 10.3.3.3 nomodify notrap nopeer noquery
#
#Define NTP Drift File
driftfile /var/log/ntp.drift

The NTP servers used in this example are fictitious. Please read the Discussion section to learn how to locate publicly available NTP servers.


Discussion

To find publicly available NTP servers to synchronize to, perform an nslookup on domain name pool.ntp.org. This DNS entry contains a number of Stratum 2 NTP servers that have agreed to participate in the DNS round robin group. Please be sure to perform the nslookup yourself to ensure you choose active and accurate NTP servers. The ones listed in the following example may have grown stale since the publication of this book:

Freebsd% nslookup pool.ntp.org
Server: dns.oreilly.com
Address: 172.25.1.99

Non-authoritative answer:
Name: pool.ntp.org
Addresses: 194.231.42.100, 216.52.237.151, 64.81.87.189, 65.111.164.224
66.17.252.26, 66.180.134.50, 67.128.71.75, 72.21.46.202, 80.190.241.157, 84.16.227.201,
84.45.18.237, 139.140.181.133

Freebsd%

We strongly recommend that you use the IP addresses, since the restrict commands will not work with DNS names. The restrict commands define access control. For more information on access control commands, please see the manpages for ntp.conf.

Once configured and launched, you can monitor the current status of your NTP server by using the ntpq command. One of the most useful command options is ntpq p, which shows you the current status of the server and its configured NTP servers:

Freebsd% ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
+10.1.1.1 .GPS. 1 u 479 1024 177 97.930 -0.552 13.109
*10.2.2.2 .USNO. 1 u 527 1024 377 41.933 1.565 2.462
+10.3.3.3 .WWV. 1 u 442 1024 377 0.956 -0.259 0.668
Freebsd%

As you can see, the three fictitious NTP servers are all active and reachable. We can also tell by the "*" that our server is synchronized to server 10.2.2.2, which is a Stratum 1 server, as listed in the "st" column. The other two servers are selected for possible synchronization, as denoted by the "+". For a complete listing of NTP status codes, please see Table 14-2 or the ntpq manpage.

To enable MD5 authentication on the server, so that your routers can access it securely, you must first create one or more keys in the NTP key file called /etc/ntp.keys (Example 14-2).

Example 14-2. /etc/ntp.keys

2   M  oreilly
3 M testing

In this example, we have created two MD5 keys, 2 and 3. Although the server will support other authentication methods, Cisco IOS only supports MD5 keys. The MD5 keys must be entered as clear text and must match the key(s) listed in your router configuration.

Once you have created your NTP keys, you must configure the server to enable authentication by modifying the ntp.conf file:

#Define NTP Servers
#
server 10.1.1.1
server 10.2.2.2
server 10.3.3.3
#
#Define Access Control
restrict 10.1.1.1 nomodify notrap nopeer noquery
restrict 10.2.2.2 nomodify notrap nopeer noquery
restrict 10.3.3.3 nomodify notrap nopeer noquery
#
#Define NTP Drift File
driftfile /var/log/ntp.drift
#
#Enable Authorization
enable auth
keys /etc/ntp.keys
trustedkey 2

In this example, we have highlighted the authentication portion of the ntp.conf file. As you can see, we have enabled authentication by using the enable auth command. We then defined where the NTP key file is located, and finally we enabled key number 2 as our trusted key. Once the NTP daemon is restarted, the server is ready to provide authenticated access to the routers.

The following example shows how to configure a router to securely access our server using NTP authentication. Please note that the authentication key number and password must be the same as the one configured in the server to work:

Router#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ntp authentication-key 2 md5 oreilly
Router(config)#ntp authenticate
Router(config)#ntp trusted-key 2
Router(config)#ntp server 172.25.1.1 key 2
Router(config)#end
Router#

For more information on configuring the router for NTP authentication, please see Recipe 14.12 or the ntp.conf manpage.

See Also