CCNA 200-301 Portable Command Guide 5th Edition 20
Configure and secure NTP for accurate time across your network. Learn NTP design, troubleshooting, clock settings, and timestamps with configuration examples to support SLAs and log accuracy.
Alice Edwards
Contributor
4.2
44
2 months ago
Preview (4 of 12)
Sign in to access the full document!
CHAPTER 19
Configuring Network Time
Protocol (NTP)
This chapter provides information about the following topics:
D NTP configuration
n NTP design
□ Securing NTP
D Verifying and troubleshooting NTP
1 Setting the clock on a router
n Using time stamps
□ Configuration example: NTP
Most networks today are being designed with high performance and reliability in mind.
Delivery of content is, in many cases, guaranteed by service level agreements (SLAs).
Having your network display an accurate time is vital to ensuring that you have the best
information possible when reading logging messages or troubleshooting issues.
NTP Configuration
Edmonton(config)# ntp server
209.165.200.254
Configures the Edmonton router to synchro-
nize its clock to a public NTP server at address
209.165.200.254
NOTE: This command makes the Edmonton
router an NTP client to the external NTP server
NOTE: A Cisco IOS router can be both a client
to an external NTP server and an NTP server to
client devices inside its own internal network
NOTE: When NTP is enabled on a Cisco IOS
router, it is enabled on all interfaces
Edmonton(config)# ntp server
209.165.200.234 prefer
Specifies a preferred NTP server if multiple
ones are configured
TIP: It is recommended to configure more than
one NTP server
Edmonton(config-if)#
ntp disable
Disables the NTP server function on a specific
interface. The interface will still act as an NTP
client
TIP: Use this command on interfaces
connected to external networks
Technet24
Configuring Network Time
Protocol (NTP)
This chapter provides information about the following topics:
D NTP configuration
n NTP design
□ Securing NTP
D Verifying and troubleshooting NTP
1 Setting the clock on a router
n Using time stamps
□ Configuration example: NTP
Most networks today are being designed with high performance and reliability in mind.
Delivery of content is, in many cases, guaranteed by service level agreements (SLAs).
Having your network display an accurate time is vital to ensuring that you have the best
information possible when reading logging messages or troubleshooting issues.
NTP Configuration
Edmonton(config)# ntp server
209.165.200.254
Configures the Edmonton router to synchro-
nize its clock to a public NTP server at address
209.165.200.254
NOTE: This command makes the Edmonton
router an NTP client to the external NTP server
NOTE: A Cisco IOS router can be both a client
to an external NTP server and an NTP server to
client devices inside its own internal network
NOTE: When NTP is enabled on a Cisco IOS
router, it is enabled on all interfaces
Edmonton(config)# ntp server
209.165.200.234 prefer
Specifies a preferred NTP server if multiple
ones are configured
TIP: It is recommended to configure more than
one NTP server
Edmonton(config-if)#
ntp disable
Disables the NTP server function on a specific
interface. The interface will still act as an NTP
client
TIP: Use this command on interfaces
connected to external networks
Technet24
176 NTP Configuration
Edmonton( config)# ntp master
stratum
Configures the router to be an NTP master
clock to which peers synchronize when no
external NTP source is available. The stratum
is an optional number between 1 and 15. When
enabled, the default stratum is 8
NOTE: A reference clock (for example, an
atomic clock) is said to be a stratum-0 device.
A??stratum-1 server is directly connected to
a stratum-0 device. A stratum-2 server is
connected across a network path to a stratum-1
server. The larger the stratum number (moving
toward 15), the less authoritative that server is
and the less accuracy it will have
Edmonton(config)#
ntp max-associations 200
Configures the maximum number of NTP
peer-and-client associations that the router will
serve. The range is 0 to 4,294,967,295. The
default is 100
Edmonton(config)# access
list 101 permit udp any host
a.b.c.d eq ntp
Creates an access list statement that will allow
NTP communication for the NTP server at
address a.b.c.d. This ACL should be placed in
an inbound direction
NOTE: When a local device is configured with the ntp master command, it can be iden-
tified by a syntactically correct but invalid IP address. This address will be in the form of
127.127. x.x. The master will synchronize with itself and uses the 127.127. x.x address to
identify itself. This address will be displayed with the show ntp associations command
and must be permitted via an access list if you are authenticating your NTP servers.
NTP Design
You have two different options in NTP design: flat and hierarchical. In a flat design, all
routers are peers to each other. Each router is both a client and a server with every other
router. In a hierarchical model, there is a preferred order of routers that are servers and
others that act as clients. You use the ntp peer command to determine the hierarchy.
TIP: Do not use the flat model in a large network, because with many NTP servers it
can take a long time to synchronize the time.
Edmonton(config)#
ntp peer 172.16.21.1
Configures an IOS device to synchronize its software
clock to a peer at 172.16.21.1
Edmonton(config)#
ntp peer 172.16.21.1
version 2
Configures an IOS device to synchronize its software
clock to a peer at 172.16.21.1 using version 2 of NTP.
There are three versions of NTP (versions 2-4)
NOTE: Although Cisco IOS recognizes three versions of NTP, versions 3 and 4
are most commonly used. Version 4 introduces support for IPv6 and is backward
compatible with version 3. NTPv4 also adds DNS support for IPv6.
NOTE: NTPv4 has increased security support using public key cryptography and
X.509 certificates.
NOTE: NTPv3 uses broadcast messages. NTPv4 uses multicast messages.
Edmonton( config)# ntp master
stratum
Configures the router to be an NTP master
clock to which peers synchronize when no
external NTP source is available. The stratum
is an optional number between 1 and 15. When
enabled, the default stratum is 8
NOTE: A reference clock (for example, an
atomic clock) is said to be a stratum-0 device.
A??stratum-1 server is directly connected to
a stratum-0 device. A stratum-2 server is
connected across a network path to a stratum-1
server. The larger the stratum number (moving
toward 15), the less authoritative that server is
and the less accuracy it will have
Edmonton(config)#
ntp max-associations 200
Configures the maximum number of NTP
peer-and-client associations that the router will
serve. The range is 0 to 4,294,967,295. The
default is 100
Edmonton(config)# access
list 101 permit udp any host
a.b.c.d eq ntp
Creates an access list statement that will allow
NTP communication for the NTP server at
address a.b.c.d. This ACL should be placed in
an inbound direction
NOTE: When a local device is configured with the ntp master command, it can be iden-
tified by a syntactically correct but invalid IP address. This address will be in the form of
127.127. x.x. The master will synchronize with itself and uses the 127.127. x.x address to
identify itself. This address will be displayed with the show ntp associations command
and must be permitted via an access list if you are authenticating your NTP servers.
NTP Design
You have two different options in NTP design: flat and hierarchical. In a flat design, all
routers are peers to each other. Each router is both a client and a server with every other
router. In a hierarchical model, there is a preferred order of routers that are servers and
others that act as clients. You use the ntp peer command to determine the hierarchy.
TIP: Do not use the flat model in a large network, because with many NTP servers it
can take a long time to synchronize the time.
Edmonton(config)#
ntp peer 172.16.21.1
Configures an IOS device to synchronize its software
clock to a peer at 172.16.21.1
Edmonton(config)#
ntp peer 172.16.21.1
version 2
Configures an IOS device to synchronize its software
clock to a peer at 172.16.21.1 using version 2 of NTP.
There are three versions of NTP (versions 2-4)
NOTE: Although Cisco IOS recognizes three versions of NTP, versions 3 and 4
are most commonly used. Version 4 introduces support for IPv6 and is backward
compatible with version 3. NTPv4 also adds DNS support for IPv6.
NOTE: NTPv4 has increased security support using public key cryptography and
X.509 certificates.
NOTE: NTPv3 uses broadcast messages. NTPv4 uses multicast messages.
Securing NTP 177
Edmonton(config)#
ntp peer 172.16.21.1
source loopback 0
Configures an IOS device to synchronize its
software clock to a peer at 172.16.21.1. The source
IP address is the address of interface Loopback 0
TIP: Choose a loopback interface as your source for
NTP because it will never go down. ACL statements
will also be easier to write as you will require only one
line to allow or deny traffic
Edmonton(config)#
ntp peer 172.16.21.1
source loopback 0 prefer
Makes this peer the preferred peer that provides
synchronization
Securing NTP
You can secure NTP operation using authentication and access lists.
NOTE: Securing NTP is not part of the CCNA (200-301) exam topics.
Enabling NTP Authentication
NTPServer(config)#
ntp authentication-key 1
md5 NTPpa55word
Defines an NTP authentication key
1 = number of authentication key. Can be a number
between 1 and 4,294,967,295
md5 = using MD5 hash. This is the only option
available on Cisco devices
NTPpa55word = password associated with this key
NTPServer(config)#
ntp authenticate
Enables NTP authentication
NTPServer(config)#
ntp trusted-key 1
Defines which keys are valid for NTP authentication.
The key number here must match the key number you
defined in the ntp authentication-key command
NTPClient(config)#
ntp authentication-key
1 md5 NTPpa55word
Defines an NTP authentication key
NTPClient(config)#
ntp authenticate
Enables NTP authentication
NTPClient(config)#
ntp trusted-key 1
Defines which keys are valid for NTP authentication.
The key number here must match the key number you
defined in the ntp authentication-key command
NTPClient(config)# ntp
server 192.168.200.1
key 1
Defines the NTP server that requires authentication
at address 192.168.200.1 and identifies the peer key
number as key 1
NOTE: NTP does not authenticate clients; it only authenticates the source. That means
that a device will respond to unauthenticated requests. Therefore, access lists should
be used to limit NTP access.
NOTE: Once a device is synchronized to an NTP source, it will become an NTP server
to any device that requests synchronization.
Technet24
Edmonton(config)#
ntp peer 172.16.21.1
source loopback 0
Configures an IOS device to synchronize its
software clock to a peer at 172.16.21.1. The source
IP address is the address of interface Loopback 0
TIP: Choose a loopback interface as your source for
NTP because it will never go down. ACL statements
will also be easier to write as you will require only one
line to allow or deny traffic
Edmonton(config)#
ntp peer 172.16.21.1
source loopback 0 prefer
Makes this peer the preferred peer that provides
synchronization
Securing NTP
You can secure NTP operation using authentication and access lists.
NOTE: Securing NTP is not part of the CCNA (200-301) exam topics.
Enabling NTP Authentication
NTPServer(config)#
ntp authentication-key 1
md5 NTPpa55word
Defines an NTP authentication key
1 = number of authentication key. Can be a number
between 1 and 4,294,967,295
md5 = using MD5 hash. This is the only option
available on Cisco devices
NTPpa55word = password associated with this key
NTPServer(config)#
ntp authenticate
Enables NTP authentication
NTPServer(config)#
ntp trusted-key 1
Defines which keys are valid for NTP authentication.
The key number here must match the key number you
defined in the ntp authentication-key command
NTPClient(config)#
ntp authentication-key
1 md5 NTPpa55word
Defines an NTP authentication key
NTPClient(config)#
ntp authenticate
Enables NTP authentication
NTPClient(config)#
ntp trusted-key 1
Defines which keys are valid for NTP authentication.
The key number here must match the key number you
defined in the ntp authentication-key command
NTPClient(config)# ntp
server 192.168.200.1
key 1
Defines the NTP server that requires authentication
at address 192.168.200.1 and identifies the peer key
number as key 1
NOTE: NTP does not authenticate clients; it only authenticates the source. That means
that a device will respond to unauthenticated requests. Therefore, access lists should
be used to limit NTP access.
NOTE: Once a device is synchronized to an NTP source, it will become an NTP server
to any device that requests synchronization.
Technet24
Preview Mode
Sign in to access the full document!
100%
Study Now!
XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
Document Chat
Document Details
Subject
Information Technology