OmniSecu.com Logo  
omnisecu.com free mcse ccna rhce linux java learning
omnisecu.com free mcse ccna rhce linux java learning
          Sharefacebook twitter google+ google bookmark yahoo bookmark delicious digg linkedin pinterest reddit stumbleupon evernote diigo blinklist blogmarks livejournal email feed

Tutorials

How to configure Cisco Routers and Switches to synchronize time using NTP through IOS CLI

External Resources

In a network, if all the devices are not connected to internet directly, we can configure a Router (which is connected to internet) to synchronize its time from Public NTP Time Servers and remaining devices to syncronize from the first Router. Below lab topology, the Cisco Router "OmniSecuR1" is connected to internet directly and synchronize its time from public NTP time servers. Other two Cisco Routers "OmniSecuR2" and "OmniSecuR3" is configured with "OmniSecuR1" as the NTP Time Server and synchronize it's time from "OmniSecuR1".

NTP Lab

We have three routers; OmniSecuR1, OmniSecuR2 and OmniSecuR3. Here OmniSecuR1 is configured to synchronize its time with public NTP server pools pool.ntp.org and asia.pool.ntp.org. Using a pool as NTP Server is the better option, becuase pool is a cluster of NTP Time Servers. If one NTP server is failed, other server is available to provide time.

Click the following links to find FQDNs / IP Addresses of public NTP pools, Stratum-1 NTP Servers and Stratum-2 NTP Servers.

How to configure Cisco Router/Switch to Synchronize time from an internet NTP Time Server

Step 1 - Before configuring NTP, make sure that all Cisco Routers, and Switches are configured with same timezone. Use the following commands to configure proper time zone in your Cisco Router or Switch. "+5 30" is the time zone which currently I am residing. You should change it according to your time zone.

OmniSecuR1#configure terminal
OmniSecuR1(config)#clock timezone OmniTZ 5 30
OmniSecuR1(config)#exit
OmniSecuR1#

OmniSecuR2#configure terminal
OmniSecuR2(config)#clock timezone OmniTZ 5 30
OmniSecuR2(config)#exit
OmniSecuR2#

OmniSecuR3#configure terminal
OmniSecuR3(config)#clock timezone OmniTZ 5 30
OmniSecuR3(config)#exit
OmniSecuR3#

Step 2 - Enable name resolution in Cisco Router "OmniSecuR1" and configure the Cisco Router "OmniSecuR1" to use 8.8.8.8 (Google public DNS Server) as the DNS Server. Use 192.168.1.1 as Gateway of last resort. Configure Gateway of last resort according to your network topology.

Enabling name resolution and configuring the Cisco Router / Switch with an IP address of a DNS Server is important, because we need to resolve the FQDN of NTP Server / Server Pool to an IP address. You can configure the IP Address of the NTP Server / Server Pool also. But, the NTP time synchronization will fail if the IP address of the NTP Server / Server Pool is changed.

OmniSecuR1#configure terminal
OmniSecuR1(config)#ip domain-lookup
OmniSecuR1(config)#ip name-server 8.8.8.8
OmniSecuR1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
OmniSecuR1(config)#exit
OmniSecuR1#

Step 3 - Check the current system time in the Cisco Router "OmniSecuR1" using "show clock detail" as shown below. You can see that NTP is not configured and output shows "No time source".

OmniSecuR1#show clock detail
*00:02:03.383 UTC Mon Mar 1 1993
No time source

Step 4 - Instruct the Cisco Router OmniSecuR1 to use "pool.ntp.org" and "asia.pool.ntp.org" as NTP Servers. After the configuration, OmniSecuR1 will start synchronizing its time from NTP server pools "pool.ntp.org" and "asia.pool.ntp.org".

Click the following links to find FQDNs / IP Addresses of public NTP pools, Stratum-1 NTP Servers and Stratum-2 NTP Servers.

OmniSecuR1#configure terminal
OmniSecuR1(config)#ntp server pool.ntp.org
OmniSecuR1(config)#ntp server asia.pool.ntp.org
OmniSecuR1(config)#exit
OmniSecuR1#

Step 5 - Again check the system time in the Cisco Router "OmniSecuR1" using "show clock detail" as shown below. You can see that the output shows that "Time Source is NTP".

OmniSecuR1#show clock detail
13:42:25.914 UTC Fri Feb 7 2014
Time source is NTP

Step 6 - To verify the NTP configurations, you can use "show ntp status", "show ntp associations" and "show ntp associations detail" IOS commands as shown below. You can see that from the "show ntp status" the NTP Stratum of OmniSecuR1 is 3.

OmniSecuR1#show ntp status
Clock is synchronized, stratum 3, reference is 120.88.46.10
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D69F6125.290AFFB6 (13:41:57.160 UTC Fri Feb 7 2014)
clock offset is -10.1306 msec, root delay is 426.86 msec
root dispersion is 85.34 msec, peer dispersion is 17.46 msec 

OmniSecuR1#show ntp associations
address         ref clock     st  when  poll reach  delay  offset    disp
*~120.88.46.10     10.84.87.146      2    26    64  377   287.9  -18.89     2.8
+~211.39.136.4     129.6.15.28       2    27    64  377   307.2    1.29     1.3
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

OmniSecuR1#show ntp associations detail
120.88.46.10 configured, our_master, sane, valid, stratum 2
ref ID 10.84.87.146, time D69F5B13.7AF0569D (13:16:03.480 UTC Fri Feb 7 2014)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 139.34 msec, root disp 48.25, reach 377, sync dist 266.373
delay 288.38 msec, offset -15.9754 msec, dispersion 4.27
precision 2**22, version 3
org time D69F61A4.FF260292 (13:44:04.996 UTC Fri Feb 7 2014)
rcv time D69F61A5.2826CF84 (13:44:05.156 UTC Fri Feb 7 2014)
xmt time D69F61A4.DE518D3D (13:44:04.868 UTC Fri Feb 7 2014)
filtdelay =   288.38  287.90  288.76  287.52  287.67  288.31  287.64  288.13
filtoffset =  -15.98  -18.89  -22.23  -21.55  -21.52  -21.66  -21.88  -22.08
filterror =     0.03    1.01    1.98    2.00    2.01    2.03    2.04    2.06

211.39.136.4 configured, selected, sane, valid, stratum 2
ref ID 129.6.15.28, time D69F5E3B.F7CAA190 (13:29:31.967 UTC Fri Feb 7 2014)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 191.28 msec, root disp 37.90, reach 377, sync dist 292.847
delay 307.59 msec, offset 6.7121 msec, dispersion 5.49
precision 2**20, version 3
org time D69F61A4.076AD5EA (13:44:04.028 UTC Fri Feb 7 2014)
rcv time D69F61A4.2D126021 (13:44:04.176 UTC Fri Feb 7 2014)
xmt time D69F61A3.DE531DC7 (13:44:03.868 UTC Fri Feb 7 2014)
filtdelay =   307.59  315.54  307.16  307.98  308.15  307.19  307.88  308.59
filtoffset =    6.71    0.20    1.29    1.54    0.81    1.17    0.93    0.62
filterror =     0.03    1.01    1.98    2.00    2.01    2.03    2.04    2.06

How to configure a Cisco Router/Switch as an NTP Time Server

We have configured the internet facing router "OmniSecuR1" for NTP Time synchronization from public NTP Time Server Pools. Next task is to configure the "OmniSecuR1" as the NTP Time Server for internnal routers "OmniSecuR2" and "OmniSecuR3". To configure "OmniSecuR1" as the NTP Time server, follow these steps.

Step 1 - Create an Access Control List to specify which devices can allowed to get their time synchronized from the NTP Server.

OmniSecuR1(config)#access-list 10 permit 192.168.10.2 0.0.0.0
OmniSecuR1(config)#access-list 10 permit 192.168.10.6 0.0.0.0
OmniSecuR1(config)#exit
OmniSecuR1#

Step 2 - Enable "OmniSecuR1" as NTP Time Server. Configure the Standard ACL number to specify which devices can allowed to get their time synchronized from the NTP Server. Configure the interface name as the source of NTP traffic.

OmniSecuR1#configure terminal
OmniSecuR1(config)#ntp master 3
OmniSecuR1(config)#ntp access-group peer 10
OmniSecuR1(config)#ntp source loopback 0
OmniSecuR1(config)#exit OmniSecuR1#

Note:

peer - peer keyword allows time synchronization requests and control queries from another NTP devices, also allows the Cisco Router/Switch to synchronize itself using the time information from other devices configured in the ACL

serve - serve keyword allows time synchronization requests and control queries from another NTP devices, will not allow the Cisco Router/Switch to synchronize synchronize itself using the time information from other devices configured in the ACL

serve-only - serve-only keyword allows only time synchronization requests from other devices configured in the ACL

query-only - query-only keyword allows only NTP control queries from other devices configured in the ACL

How to configure internal Cisco Routers/Switches to synchronize clock from internal NTP Time Server

Now configure the internal Cisco Routers (OmniSecuR1 and OmniSecuR2) to get their clock syncronized from the Router "OmniSecuR1".

OmniSecuR2#configure terminal
OmniSecuR2(config)#ntp server 192.168.10.50
OmniSecuR2(config)#exit
OmniSecuR2#

OmniSecuR3#configure terminal
OmniSecuR3(config)#ntp server 192.168.10.50
OmniSecuR3(config)#exit
OmniSecuR3#

              Jajish Thomason Google+
Related Topics
comments powered by Disqus


eXTReMe Tracker DMCA.com