Lot many things in Cisco devices depend on time, like certificates, time based ACLs and syslog messages. When it comes to time sources, Cisco devices are pretty much same as Computers. Most of them have a hardware clock as well as a software clock. We are concerned here only about the software clock as that is the time source used in the above mentioned scenarios.
We can manually set the time of hardware and software clocks in Cisco. To know about it, see my post about setting time in Cisco devices.
Here we would see how we can set an NTP server as the time source for a Cisco device.
R0(config)#ntp server 202.55.1.1
This will set the cisco device as a client of the NTP server 202.55.1.1, but there are a few more thing to configure if you want you network to be safe and efficient.
Authentication.
To prevent malicius/accidental setting of incorrect time from an unwanted NTP server, you should use NTP authentication using NTP "keys". There will be keys configured on the NTP server, which are basically string with a maximum length of 8 characters. The encryption scheme used to protect the key exchange is MD5.
Now enable NTP authentication first:
R0(config)#ntp authenticate
Now define the NTP server authentication key(s)
R0(config)#ntp authentication-key 1 md5 SeCrEt
R0(config)#ntp authentication-key 2 md5 TeRcEs
Here 1 and 2 are arbitrary numbers used as identifiers for each different keys. MD5 is the protocol used and the last argument of the command is the key itself ( This will be matching with the keys configured on the NTP server).
R0(config)#ntp trusted-key 1
This tells the device that the key "SeCrEt" that is stored locally is a trusted key which can be used for NTP authentication. Only trusted keys can be associated with an NTP server.
R0(config)#ntp server 202.55.1.1 key 1
This command associates the server 202.55.1.1 with the key "1" (SeCrEt).
This should be enough to set the authentication.
Reliability
What will happen if this NTP server goes down for a while? To deal with such a scenario you need additional NTP server which you can configure using the same command as above ( the key part may differ
though, depending on the key configured on that server).
So we introduce another server 202.55.2.1 which has and MD5 key "TeRcEs" configured.
R0(config)#ntp trusted-key 2
R0(config)#ntp server 202.55.2.2 key 2
Now we have a fail-over NTP server. But what if we need the NTP traffic to be served by 202.55.1.1 as long as it is up and running? and use the other one only if this host is down? You can specify a preferred server, which in this case will be 202.55.1.1
R0(config)#ntp server 202.55.1.1 key 1 prefer
This will make 202.55.1.1 preferred over the other NTP servers.
There are many more security features that you can configure to secure NTP, like enabling NTP messages to be received on selected interfaces and NTP access-group ACLs. I will detail them in another post.
No comments:
Post a Comment