NTP is a protocol designed to basically time synchronize network devices across Local or Wide Area Networks. You would probably guess how critical this is in terms of troubleshooting as it would greatly assist in pinpointing time events and help isolate the root cause of a problem. On top of that, certain network devices need to be in sync with a Domain Controller in order for specific application to work. A good example would be Cisco Anyconnect VPN which requires the ASA to be tied to an Active Directory instance for Authentication and Authorization; If for any reason the time stamp between the two are not identical, authentication will fail. Of course, you can configure local user accounts on the ASA and that’ll avoid the problem mentioned above… In fact, you won’t need to point to any DC at that point but it just does not scale when we are talking about hundreds of users.
So, NTP runs over UDP port 123. An authoritative time source such as a radio clock or an atomic clock attached to a time server is typically set up to forward time information downstream to network devices via the use of the protocol (NTP). It is extremely efficient and low on bandwidth; only one packet/minute is necessary to synchronize devices withing a millisecond of one another.
Let’s talk about the different bells and whistles that come with the protocol.
-NTP Stratum
NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized. NTP also compares the time reported by several devices and does not synchronize to a device whose time is significantly different than the others, even if its stratum is lower.
-NTP Associations
The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP address of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, in that case, information flow is one-way only.
-NTP Security
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.
-NTP Version 4
NTP version 4 is implemented on the switch. NTPv4 is an extension of NTP version 3. NTPv4 supports both IPv4 and IPv6 and is backward-compatible with NTPv3.
NTPv4 provides these capabilities:
Support for IPv6.
Improved security compared to NTPv3. The NTPv4 protocol provides a security framework based on public key cryptography and standard X509 certificates.
Automatic calculation of the time-distribution hierarchy for a network. Using specific multicast groups, NTPv4 automatically configures the hierarchy of the servers to achieve the best time accuracy for the lowest bandwidth cost. This feature leverages site-local IPv6 multicast addresses.
We will be using a very basic example to demonstrate how the protocol works…
Basic connectivity has been established already and as you can see here the router and the NTP server are directly connected. In a large network environment, we’d just need to make sure that routing works and every network devices can hit the NTP server. So let’s login to the core router and make sure we can get to the server…
All right good ! Let’s now configure the NTP Server with an accurate time. Note here that our NTP server is a actually a router. Let’s set the timezone first…
I don’t know about where you are located right now but it is definitely NOT 2002 here ! So, notice how we set the offset values for both the hours and minutes from Coordinated Universal Time (UTC) standard. We even got a console message letting us know that the system clock has been updated. Let’s now set the date and time…
All right, the commands here are pretty self explanatory. Notice, here how we needed to be in “enable” mode to set the time. We have now set the accurate time on the server. Next we will need to configure the client in the same time zone…
Note that setting the timezone here does not change the system clock. Let’s now take a road trip the server and configure it as an NTP server and set the stratum value. Let’s first illustrate how “Stratum” works…
As you can see here, Stratum 0 is the king of the Castle (Atomic Clock for instance) and Stratum 1 gets its time from Stratum 0. Then, Stratum 2 gets its time from Startum 1 and so on. Stratum level goes all the way up to 15.
Let’s hop back on the Server here…
Here, we’ve successfully configure the router to be a NTP server with Stratum of 3. Let’s now point to the client to the Server…
That’s all there is to it ! Note that it is good practice to source your NTP traffic from a loopback interface. In our case here, it really does not matter because we have a single exit point. Let’s now check the time on the client…
Excellent ! The time has now synced up ! Let’s run a couple of verification commands and make sure the client is successfully pointing to the server…
Here, we can clearly see that the clock has now synchronized ! Also the * also indicates that we are in sync !
Quick Tips: Note that while NTP uses unicast (UDP port 123), it also has the capabilities to do both Multicast and Broadcast.
That completes this topic. Please let me know if you have any questions. Thank you for tuning in !
M | T | W | T | F | S | S |
---|---|---|---|---|---|---|
1 | 2 | 3 | ||||
4 | 5 | 6 | 7 | 8 | 9 | 10 |
11 | 12 | 13 | 14 | 15 | 16 | 17 |
18 | 19 | 20 | 21 | 22 | 23 | 24 |
25 | 26 | 27 | 28 | 29 | 30 |
Tremendous blogs here. I am very happy to peer your post. Thank you a lot and I am looking forward to contact you. Will you please drop me a e-mail?|
Hello Lukman,
I’ll be happy to read your email in the near future. You can contact me here: fall.oumar@hotmail.com
Regards,
Pape
You actually make it appear really easy together with your presentation but I find this matter to be actually something which I feel I’d by no means understand.
It kind of feels too complicated and extremely wide
for me. I’m looking forward on your subsequent post, I’ll attempt to get the hold of it!
Sounds Good ! Just let me know if you have any questions and I’ll explain to the best of my abilities. I haven’t been writing lately due to excessive work load but I’ll be back with the pen pretty soon 😉
It’s hard to find experienced people with this subject, however, you seem like
do you know what you’re speaking about! Thanks
The pleasure is mine ! Thanks for the comment !
Very rapidly this site will be famous amid all blog users, due to it’s pleasant articles
Greetings from Florida! I’m bored at the office therefore i decided to browse your website on my own iphone during lunch break.
I enjoy the info you provide here and can’t wait to take a look after i return home.
I’m shocked at how quick your blog loaded on my mobile ..
I’m not actually using WIFI, just 3G .. Anyhow, amazing blog!
Good info. Lucky me I discovered your website unintentionally
(stumbled upon). I have got saved it for later!
Pape…Just randomly strolled across your profile while searching for packet-based vs flow-based SRX content. Great..Great content. I am 5 months into my Network Admin career after switching over from 6 years as a Cyber Systems Admin. I’m aggressively attacking my certs (JNCIA and CCNA). I would love to chat with ya and get your advice on a few things. Feel free to contact me at my personal email.
Thanks
Hello Broderick,
I’m pleased to see that you find the materials informative. I think you’re making the right decision in terms of ramping up on the Network side. It’ll definitely resonate well with your Cyber Sec career.
You can drop me a voicemail via the plugin in the home page, drop me an email via the address in the “About me” page or contact me via LinkedIn.