Clock Synchronization Using NTP
Ensuring that consistent time information be distributed throughout the network is an important accomplishment. Correct timing not only makes event logs and management data more meaningful, but also brings the possibility of using accounting records for auditing tasks and enabling features (such as time-based ACLs) on specific periods.
The clock on a Cisco device might be set up manually using the clock set exec-level command. Nonetheless the recommended method for time synchronization is through the use of the NTP.
Because of the potential adverse effects that incorrect time information might have on network availability and manageability, it is advisable that network and security administrators do whatever they can to guarantee that only authorized synchronization sources are used. Although NTP supports both plain-text and hash-based (MD5) authentication options, the MD5 method is doubtlessly the preferred one.
Figure 3-8 depicts the reference topology for the analysis of NTP operation using MD5 Authentication. Example 3-26 assembles the configuration commands of an IOS NTP Server that was employed to synchronize a set of NTP clients. For a better understanding of this scenario, you should pay attention to the following details:
- NTP clients authenticate packets received from servers. This is reflected in that the ntp authenticate command is configured only on the client side.
- The ntp trusted-key command is necessary to activate a key configured with the ntp authentication-key command.
Figure 3-8 Reference Topology for NTP Analysis
Example 3-27 illustrates a classic client-side debug. It also shows how to verify the synchronization status on a certain device and the details associated with the source of clock data. (The commands used in this example are equally valid for ASA and IOS.)
Example 3-26. NTP Baseline Configuration
! NTP Server Configuration on IOS ntp master 4 ntp authentication-key 1 md5 ***** ntp peer 192.168.1.21 key 1 ntp peer 192.168.1.23 key 1 ntp peer 192.168.1.25 key 1 ! ! NTP configuration on ASA (server is reachable through logical interface "mgmt") ASA1# show running-config ntp ntp authentication-key 1 md5 ***** ntp authenticate ntp trusted-key 1 ntp server 192.168.1.100 key 1 source mgmt ! ! NTP Configuration on IOS (including Catalyst 6500) CAT6500B# show running-config | include ntp ntp authentication-key 1 md5 ***** ntp authenticate ntp trusted-key 1 ntp source Vlan1100 ntp server 192.168.1.100 key 1
Example 3-27. NTP Operation
! A typical debug on the client side (valid for IOS and ASA) NTP: rcv packet from 192.168.1.100 to 192.168.1.25 on Vlan1100: leap 0, mode 4, version 3, stratum 4, ppoll 64 rtdel 0000 (0.000), rtdsp 0002 (0.031), refid 7F7F0701 (127.127.7.1) ref CEAFDBC4.50C27B03 (11:59:16.315 BRT Thu Nov 19 2009) org CEAFCD40.7E7F03DF (10:57:20.494 BRT Thu Nov 19 2009) rec CEAFDBD2.6C4177F8 (11:59:30.422 BRT Thu Nov 19 2009) xmt CEAFDBD2.6C54908E (11:59:30.423 BRT Thu Nov 19 2009) inp CEAFCD40.7F0D7366 (10:57:20.496 BRT Thu Nov 19 2009) NTP: synced to new peer 192.168.1.100 ! ! Verifying if the clock is already synchronized (valid for IOS and ASA) ASA1# show ntp status Clock is synchronized, stratum 5, reference is 192.168.1.100 nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 reference time is ceafcf15.f87ff739 (11:05:09.970 BRT Thu Nov 19 2009) clock offset is -31.4958 msec, root delay is 36.30 msec root dispersion is 1923.63 msec, peer dispersion is 1892.09 msec ! ! Verifying the source of timing information (valid for IOS and ASA) ASA1# show clock detail 11:05:46.460 BRT Thu Nov 19 2009 Time source is NTP
Example 3-28 documents that FWSM receives its timing information from the Catalyst 6500 chassis. If the underlying 6500 is synchronized through NTP, FWSM displays NTP as its time source.
Example 3-28. Specific Considerations for the FWSM
! Time information obtained from the Catalyst chassis (which uses NTP) FWSM2# show clock detail 12:42:56.570 BRT Thu Nov 19 2009 Time source is NTP ! ! There is no NTP option on the FWSM CLI FWSM2# show ntp ? ERROR: % Unrecognized command ! FWSM2(config)#ntp ? ERROR: % Unrecognized command