NTP
Stratums: Default NTP Server Stratum Level
8
NTP Master Configuration
ntp master Starts ntp, Synchronizes itself to its own clock ntp source fa0/1 Sets fa0/1 as the port that it sends NTP packets out of. Other NTP clients will use this IP address in the "ntp server ipaddress" commands
NTP Client Configuration
ntp server 10.10.10.1 Synchronizes its clock to the ntp master at 10.10.10.1
Stratums: Stratum Range
1 - 15
NTP peers
Allows other devices to sync to it and will also sync to other devices
NTP servers
Allows other devices to sync to it, but does not sync to other devices
sh ntp associations: #
An IP address of an NTP master that the router is configured to synchronize with and has begun the process of syncing with, but is not yet synchronized with. (Usually due to some issue arising during synchronization such as when an NTP server/peer is not synchronized using an authoritative time source such as NTP or if that server/peer's time is significantly different from other servers/peers) Known as master (unsynched)
sh ntp associations: *
An IP address of an NTP master that the router is configured to synchronize with and the router is synchronized with the master. Known as our_master
sh ntp associations: +
An IP address of an NTP master that the router is configured to synchronize with, but is currently not because the synchronization process has not yet begun. If our_master fails or the router loses sync with our_master then this will be chosen for possible synchronization. Known as "selected"
sh ntp associations: ~
An IP address that was manually configured. Known as "configured"
NTPv3
Cryptographic authentication Does not provide privacy (confidentiality)
sh ntp associatons
Displays all CONFIGURED ntp peers and will also display which one of those peers the router is SYNCHRONIZED to Shows the IP address and status of configured NTP servers/peers Shows information about the NTP server or peer, not the local device that the command was run on Reference clock IP address is the IP address of the timing source the NTP server/peer uses for itself
Cryptographic Authentication
Has a "shared secret" that it uses to create a hash of the NTP update that it sends with the update The NTP client also has the "shared secret" and uses it to create a hash of the NTP update it receives with the update. If the hashed update matches the one it receives in the update, it has authenticated the update and knows that it is legitimate. Note: This only provides authentication and does NOT provide privacy
NTPv4
IPv6 support Prevents GET_MONLIST requests that have been used in DDOS amplification attacks
Configured vs Synchronized
With NTP you are "CONFIGURED" to a lot of various time sources, but are only "SYNCHRONIZED" with the one you actually use for your time.
Cryptographic Authentication Configuration: Server
ntp authentication-key 1 md5 passwordForAuthentication ntp authenticate Enables ntp cryptographic authentication
Cryptographic Authentication Configuration: Client
ntp authentication-key 1 md5 passwordForAuthentication ntp trusted-key 1 Assigns key 1 as a "trusted" key ntp authenticate ntp server 10.10.10.1 key 1 Specifies that trusted key 1 is to be used with the connection to the ntp server at 10.10.10.1
sh ntp status
Shows information about the local device NOT the NTP server The stratum display in sh ntp status will be 1 higher than the stratum displayed in sh ntp associations for the synchronized NTP master (*) since sh ntp status shows information about the local device whereas sh ntp associations shows information about the remote device. Reference IP is the IP of the NTP master that the local device has synced to
sh clock: *
The device does not use a timing source (such as NTP) Test Language: Time is not authoritative
sh clock: .
The device is configured to use a timing source (such as NTP) but is not synchronized with that source Test Language: Time is authoritative, but NTP is not synchronized (because the NTP process has lost contact with its servers)
sh clock: No symbols (Blank)
The device uses a timing source (such as NTP) and is in-sync with that source Test Language: Time is authoritative
Stratums
Used to describe how far away (in NTP hops) a machine is from an authoritative time source where stratum 1 would be a time server that is directly connected to an atomic clock. 1 to 15 Stratum level 8 is the default NTP server stratum level Devices that synchronize with an NTP server will choose a stratum level 1 above the server's because the server it is synchronizing to is going to be closer to the authoritative time source. A device configured to use NTP will use the peer/server with the lowest stratum number (Unless that peer/server has a time that is significantly different than the other peers/servers)