Time Setting and NTP Support

Time Setting and NTP Support

Network Time Protocol (NTP) is an Internet-standard protocol built on top of TCP/IP, which provides a mechanism to synchronize network devices and computers that’s accurate to a millisecond. NTP is based on Coordinated Universal Time (UTC), a time scale that couples the highly accurate atomic time with Greenwich Mean Time (GMT), which is based on the rotation rate of the Earth.

NTP ultimately synchronizes distributed time server and client clocks to the United States Naval Observatory Master Clocks in Washington, D.C., and in Colorado Springs, Colorado. This synchronization allows events to be correlated when system logs are created and other time-specific events occur. Some network processes confirm time synchronization and won’t accept updates or instructions from a device with an older time. NTP is defined in RFC 1305.

How NTP Works

An NTP server must be accessible to the NTP client device. The NTP network typically gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP distributes this time across the network.

Running continuously in the background, the NTP client sends periodic time requests to known NTP servers, obtaining server time stamps and using them to adjust the client clock. NTP is extremely efficient, requiring no more than one packet per minute to synchronize two machines to within a millisecond.

NTP uses the term “stratum” to describe the number of NTP hops away a device is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server receives its time from a stratum 1 time server, and so on. Any device configured to run NTP client automatically selects the time source device with the lowest stratum number, effectively building a self-organizing tree of NTP speakers.

The NTP devices are organized into associations—devices that will share NTP information—by statically configuring the IP address of all machines with which it should form associations. In a LAN environment, NTP can be configured to use IP broadcast messages with each device configured to send or receive these broadcast messages. The accuracy of timekeeping is only marginally reduced because the information flow is one-way only.

NTP uses the two following techniques to avoid synchronizing to a device whose time might be inaccurate:

  • The NTP device never synchronizes to a NTP server that isn’t synchronized itself.

  • The NTP device first compares the time reported by several NTP servers and won’t synchronize to a machine whose time is seriously different than the others, even if its stratum is lower.

NTP and PIX Firewalls

Cisco’s NTP implementation devices don’t support stratum 1 service because, currently, no way exists to connect to a radio or an atomic clock. Most networks use a host server, such as Windows, UNIX, or Linux, which is running a NTP server service. This server can synchronize with the public NTP servers available on the IP Internet. Also possible is to synchronize directly with one of the Internet-based NTP servers.

Configuring NTP Support

Four configuration mode commands are used to synchronize a PIX Firewall with a network time server using the NTP. These ntp command variations identify the time server(s) and synchronize the PIX Firewall according to the configured options.

The ntp authenticate command enables NTP authentication on the device.

pix(config)#ntp authenticate
pix(config)#no ntp authenticate

The ntp authentication-key command is used if authentication between the firewall and the NTP server is required. Conceptually, this is similar to the AAA tacacs-server key command covered in Chapter 3. The key’s role is to ensure that only authorized partners are engaging in transactions. If authentication is used, the PIX Firewall and NTP server must share the same key.

pix(config)#ntp authentication-key number md5 value
pix(config)#no ntp authentication-key number md5 value


The authentication key number (1 to 4294967295).


The encryption algorithm.


An arbitrary string of up to 32 characters. This key value appears as ********** when the configuration is viewed with the write terminal command or the show tech-support command.

The ntp server command is used to tell the PIX Firewall which interfaces to listen to (port 123) for NTP packets. Any NTP packets arriving on nondefined interfaces or that aren’t responses from a NTP request by the PIX Firewall are dropped.

pix(config)#ntp server ip_address [key number] source if_name [prefer]
pix(config)#no ntp server ip_address


The IP address of the NTP server with which to synchronize


The authentication key number (1 to 4294967295)


The interface to use to send packets to the NTP server


Designates the network time server specified as the preferred server with which to synchronize time

If authentication is enabled, use the ntp trusted-key command to define one or more key numbers the NTP server needs to provide in its NTP packets for the PIX Firewall to accept synchronization with the NTP server.

pix(config)#ntp trusted-key number
pix(config)#no ntp trusted-key number


Specifies the trusted key against which to authenticate


The authentication key number (1 to 4294967295)

Use the clear ntp command to remove all NTP configurations, including disabling authentication and removing all authentication keys and NTP server designations.

pix(config)#clear ntp

The following example demonstrates configuring the NTP features:

pix(config)#ntp authenticate
pix(config)#ntp authentication-key 9146 md5 HopeThisWorks
pix(config)#ntp trusted-key 9146
pix(config)#ntp server key 9146 source inside prefer

Verifying and Monitoring NTP Support

Use the show ntp command to display the current NTP configuration. The following output demonstrates the show ntp command:

pix(config)#show ntp
ntp authentication-key 9146 md5 ********
ntp authenticate
ntp trusted-key 9146
ntp server key 9146 source inside prefer

Use the show ntp associations [detail] command to display the configured NTP server associations. The following is a sample of the possible output from the command without and with the detail parameter.

pix(config)#show ntp associations
 address ?????ref clock ????st when poll reach ?delay offset disp
*~ ??? ??4 ?113 ?128 177 ??4.5 ?-0.24 ?125.2
* master (synced), # master (unsynced), + selected, - candidate, ~ configured

pix(config)#show ntp associations detail configured, our_master, sane, valid, stratum 4
ref ID, time c0212639.2ecfc9e0 (10:15:05.101 UTC Wed Nov 13 2002)
our mode client, peer mode server, our poll intvl 128, peer poll intvl 128
root delay 38.04 msec, root disp 9.55, reach 177, sync dist 156.021
delay 3.36 msec, offset -0.2119 msec, dispersion 125.21
precision 2**19, version 3
org time c02128a9.731f127b (10:15:25.313 UTC Wed Nov 13 2002)
rcv time c02128a9.73c1954b (10:15:25.317 UTC Wed Nov 13 2002)
xmt time c02128a9.6b3f729e (10:15:25.309 UTC Wed Nov 13 2002)
filtdelay = ??4.47 ?4.58 ?4.97 ?5.63 ?4.79 ?5.52 ?5.87 ?0.00
filtoffset = ?-0.24 ?-0.36 ?-0.37 ?0.30 ?-0.17 ?0.57 ?-0.74 ?0.00
filterror = ??0.02 ?0.99 ?1.71 ?2.69 ?3.66 ?4.64 ?5.62 ?16000.0

Use the show ntp status command to display the NTP clock information:

pix(config)#show ntp status
Clock is synchronized, stratum 5, reference is
nominal freq is 99.9984 Hz, actual freq is 100.0266 Hz, precision is 2**6
reference time is c02128a9.73c1954b (20:29:29.452 UTC Wed Nov 13 2002)
clock offset is -0.2403 msec, root delay is 42.51 msec
root dispersion is 135.01 msec, peer dispersion is 125.21 msec

Part III: Virtual Private Networks (VPNs)