NTP

TABLE OF CONTENTS

1 General..........................................................................................................................................................1
2 NTP Architecture...........................................................................................................................................2
3 Configuration.................................................................................................................................................2
3.1 Static time config..................................................................................................................................2
3.2 Server config.........................................................................................................................................2
3.3 Client config..........................................................................................................................................3
3.4 Validate.................................................................................................................................................3

1 GENERAL

- = Network Time Protocol

- Used to synchronize time-of-day clocks
- NTP uses NTP messages to send timestamps to each other
- Server port UDP/123, client port is dynamic
- NTP is considered an application, so NTP query can go over multiple hops
- NTP is important for:
o Time-based passwords
o Validating encrypted key exchanges
o Validating encryption certificates
- NTP synchronization is not fast:
o The first polling is done at 16 seconds and the next time onwards, the poll interval would be
64 seconds.
o Large time difference can be synced in couple of seconds (few polling cycles)
o Accuracy of tens of milliseconds requires hours/days to sync
- Best practice to first set the clock statically to a reasonable time before NTP syncing
- Stratum level indicates how accurate the time is (lower is better, level 1-15)
- Atomic clocks are stratum 0
- Each device adds one stratum level if it learns it from an NTP server
- Routers and switches use default stratum level 8
- Stratum level 16 means the time cannot be trusted
- Best practice, the enterprise should refer to at least two external NTP servers for redundancy, but 3
for extra safety in case the time of one of the two NTP servers is off
- Some routers in the enterprise need to be ready to supply clock data if those NTP primary servers
become unavailable. Configure like this:
o Establish an association with the NTP servers per ntp server command
o Establish an association with your internal clock using the ntp master command, set this
stratum level of internal clock higher than the NTP servers stratum
o Router synchronizes with the best source, being the external NTP servers
- It’s best practice to set a loopback address as NTP server because this is always up/up
- Root dispersion is the calculated error of the clock attached to the authoritative source

1
2 NTP ARCHITECTURE

- Client/server model
- NTP primary server:
o only acts as server
o directly connected to an authoritative time source
o stratum level 1
- NTP secondary server:
o server that uses client/server mode
o relies on synchronization with some other NTP server
- NTP Peer
o Devices that are both connected to an external NTP source
o Peers act as clients and server to each other. They try to blend their time
o Used in redundant setups (e.g. 2 WAN routers)
o Peers adjust at a maximum rate of two minutes per query

3 CONFIGURATION

3.1 STATIC TIME CONFIG

- Best practice to first set the clock statically to a reasonable time before NTP syncing

Clock timezone timezoneName +- Conf Name of timezone can be chosen by

hourOffset
Clock summer-time timezone recurring
Clock set hh:mm:ss dayOfMonth month
year
Example: clock set 19:18:30 22 Oct 2020
admin, only offset has to be correct
Conf Configure daylight savings time, recurring
means the router will spring forward and
backward an hour automatically
Statically configure clock

Time Belgium:

clock timezone CET 1

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

service timestamps log datetime localtime year

3.2 SERVER CONFIG

2
 Ntp master stratum-lvl Conf Device acts as NTP server only. Gets its
time information from the internal clock on
the device, default level is 8
Ntp source loopback nr Conf
Ntp peer ipAddress Conf

3.3 CLIENT CONFIG

ntp server {address|hostname} [prefer]
[source interface]
ntp source GigabitEthernet0/0
ntp server vrf MgmtVRF 10.24.0.1
ntp logging
ntp panic update
Conf - Device can act both as client or
server. First it acts as a client and
synchronizes its time with the
server. Then it acts as a server
itself
- Multiple servers can be set for
redundancy, but only one server is
actively used
- Source is used to stipulate the
source IP address for queries to
server
- Prefer keyword for which NTP
server the time should come from
Conf Exaple when using VRF
Conf Log NTP events
Conf Reject time updates too for of internal
clock (> panic threshold (default 1000Sec))

Service timestamps log datetime localtime Conf Sync logging time with local NTP time

3.4 VALIDATE

Show ntp status

Show ntp associations ‘*’ means it is connected to server
~ means the server is configured