Scribd
Upload
3 views

90-NTP+Security

The document outlines the configuration and security measures for Network Time Protocol (NTP), including the use of Access Control Lists (ACL) and MD5 authentication for securing NTP communications. It provides detailed commands for configuring routers as NTP servers and clients, as well as troubleshooting and verifying NTP status. Additionally, it explains the significance of various NTP status fields and how to interpret them.

Uploaded by

ep230842
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

90-NTP+Security

The document outlines the configuration and security measures for Network Time Protocol (NTP), including the use of Access Control Lists (ACL) and MD5 authentication for securing NTP communications. It provides detailed commands for configuring routers as NTP servers and clients, as well as troubleshooting and verifying NTP status. Additionally, it explains the significance of various NTP status fields and how to interpret them.

Uploaded by

ep230842
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

NTP Security & Authentication:

o NTP communications can be secured using an Access Control List.


o NTP can be secured by authentication mechanism that uses MD5 algorithm.
o All NTP packets that can update the clock have to be authenticated.
o The packets will be authenticated using HMAC MD5, which carries a key number.
o To use ACL, write ACL to allow certain IP addresses or a range then apply to NTP.
o Access-group command has these options, ordered from least restrictive to most restrictive.

Routers Basic Configuration


Core(config)# interface f0/0
Core(config-if)# ip address dhcp
Core(config-if)# no shutdown
Core(config)# interface f1/0
Core(config-if)# ip address 192.168.1.100 255.255.255.0
Core(config-if)# no shutdown
Core(config)# ip name-server 8.8.8.8
Core(config)# ip domain-lookup
R1(config)# interface f0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
R2(config)# interface f0/0
R2(config-if)# ip address 192.168.1.2 255.255.255.0
R2(config-if)# no shutdown

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717


Adjust Router Clock
Core# show calendar
Core# show clock
Core# show clock detail
Core# clock set 4:14:1 Jan 1 2019
Core(config)# clock timezone UTC + 3
Core# show clock

Configure NTP Server


Core(config)# ntp master
Core(config)# ntp master 3
Core(config)# ntp source loopback 1
Core(config)# interface f1/0
Core(config-if)# ntp broadcast
Core# show clock
Core# show clock detail

Configure NTP Server/Client


R1(config)#ntp server 192.168.1.100
R1(config)#ntp server 192.168.1.100 version 3
R1# show clock
R1# show clock detail

Configure NTP Client


R2(config)#ntp server 192.168.1.1
R2(config)#ntp server 192.168.1.1 version 3
R2(config)# interface f0/0
R2(config)# ntp broadcast client
R2# show clock
R2# show clock detail

Configure NTP Peer


R1(config)# ntp peer 192.168.1.2
R2(config)# ntp peer 192.168.1.1
R1(config)# ntp peer 192.168.1.2 version 3
R2(config)# ntp peer 192.168.1.1 version 3
R1#show ntp associations

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717


Configure Authentication on NTP Server
Core(config)# ntp master 5
Core (config)# ntp authenticate
Core (config)# ntp trusted-key 1
Core (config)# ntp authentication-key 1 md5 test

Configure Authentication on NTP Client


R1(config)# ntp server 192.168.1.100 key 1
R1(config)# ntp authenticate
R1(config)# ntp trusted-key 1
R1(config)# ntp authentication-key 1 md5 test

Configure Authentication on NTP Peer


R2(config)# ntp peer 192.168.1.1 key 1
R2(config)# ntp authenticate
R2(config)# ntp trusted-key 1
R2(config)# ntp authentication-key 1 md5 test
R2# debug ntp packet
R2# debug ntp auth

Configure ACL on NTP Server


Core (config)# access-list 1 permit public-IP
Core (config)# ntp access-group peer 1
Core (config)# access-list 11 permit 192.168.1.1
Core (config)# access-list 11 permit 192.168.1.2
Core (config)# ntp access-group serve-only 11

Configure ACL on NTP Client


R1 (config)# access-list 3 permit 192.168.1.100
R1 (config)# ntp access-group peer 3

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717


Troubleshoot and Verify NTP:
To verify NTP there many commands to use some of them are the following:
show ntp status
show ntp associations
show ntp associations detail
debug ntp packet
debug ntp events
debug ntp authentication

Field Description
characters in * —Synchronized to this peer
display lines # —Almost synchronized to this peer
+ —Peer selected for possible synchronization
- —Peer is a candidate for selection
~ —Peer is statically configured
Address Address of peer.
ref clock Address of reference clock of peer.
St Stratum of peer.
When Time since last NTP packet was received from peer.
Poll Polling interval (in seconds).
Reach Peer reachability (bit string, in octal).
Delay Round-trip delay to peer (in milliseconds).
Offset Relative time of peer clock to local clock (in milliseconds).
Disp Dispersion

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717


Field Description
Synchronized System is synchronized to an NTP peer.
Unsynchronized System is not synchronized to any NTP peer.
Stratum NTP stratum of this system.
Reference Address of peer the system is synchronized to.
nominal freq Nominal frequency of system hardware clock.
actual freq Measured frequency of system hardware clock.
Precision Precision of the clock of this system (in Hertz).
reference time Reference time stamp.
clock offset Offset of the system clock to synchronized peer.
root delay Total delay along path to root clock.
root dispersion Dispersion of root path.
peer dispersion Dispersion of synchronized peer.

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy