It's critical that all devices on an organization's network display the accurate time and date. If they don't, things can go wrong in a hurry. David Davis explains why Cisco devices need to use Network Time Protocol (NTP) for their time synchronization needs, and he tells you how to configure NTP on your Cisco devices.
Whether you're working with a server, router, switch, firewall, or PC, it's imperative that all devices on your organization's network exhibit the correct time and date. If this critical information isn't accurate, a variety of things can go wrong.
That means event logs and firewall logs can be incorrect, you might not be able to tell when your router rebooted, and/or Windows devices may not be able to log in to the domain. The fact that Microsoft has integrated the Windows Time Service into its products only underscores the importance of proper time synchronization.
Cisco routers have embraced the Network Time Protocol (NTP), a protocol designed to synchronize the clocks of computers over a network, for many years. NTP Version 3 is a standard—formalized in
RFC 1305—that uses the User Datagram Protocol (UDP) and port 123.
Unlike PCs or servers, Cisco network devices specifically need to run NTP to synchronize the time and date. That's because most Cisco devices don't have an internal clock.
For example, when a Cisco 2600 or 3600 series router loses power or the network administrator needs to reload it, the time and date are lost. Consequently, all log files, time-based access lists, or any other configuration based on time or date will either be incorrect or not work at all.
An NTP client synchronizes the time and date with an NTP server. The NTP server should be a reliable source, such as a time server on the Internet. A number of free public Internet time servers are available.
Known as stratum-1 time servers, these public Internet time servers obtain their time directly from a stratum-0 device, a reference clock that can't be an NTP server on the network (such as an atomic clock). The greater the stratum of the server, the greater the distance between that server and the reliable time source.
To ensure that your network devices display the most accurate time, you need to configure the NTP protocol and link your devices to a reliable time source. To do so, you have a couple of options.
You could purchase a hardware time device that obtains the time via GPS or some other method. In effect, you're essentially creating your own stratum-1 time server. However, for most small to midsize companies, a better alternative is to opt for a free Internet time server.
In my organization, we use UNIX scripts that depend on the proper router date. We receive a morning e-mail that lists all router events that occurred the previous day. The scripts go to each router and use a command similar to show logging | include May 16 to gather the date, combine it in a file, and e-mail it to all network administrators.
So, when a router reboots, if no one has configured NTP, then the command will find no data from that router. Nor is the command likely to ever retrieve data again because the router reverts back to its default date of February or March 1993.
Because of such possibilities, it's easy to see why it's imperative to configure NTP on your routers and switches. Configuring NTP on a Cisco IOS device is a relatively easy process.
Follow these steps:
- Choose the NTP server your devices will use.
- Find out the IP address for this server. It could be an external source such as NIST, or it could be an internal device that offers NTP services (such as a hardware device or software server from Symmetricom).
- Enter the following commands on the IOS device:
Router# configure terminal
Router(config)# ntp server <IP address of NTP Server>
- Verify the association with the server using the show ntp status and show ntp associationscommands. Listing A offers an example of the output of these commands.
Before you get started, I'd like to point out a couple of things to keep in mind:
- NTP is a slow protocol, and the formation of NTP associations can take a long time. So, don't expect anything to happen fast. You can keep an eye on it using the debug ntp <option> set of commands.
- If you decide to use an Internet NTP server, make sure you open UDP port 123 inbound on your firewall to your NTP client.
David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.