How to configure Cisco Routers and Switches to synchronize time using NTP through IOS CLI
In a network, if all the devices are not connected to internet directly, we can configure a Router (which is connected to internet) to synchronize its time from Public NTP Time Servers and remaining devices to syncronize from the first Router. Below lab topology, the Cisco Router "OmniSecuR1" is connected to internet directly and synchronize its time from public NTP time servers. Other two Cisco Routers "OmniSecuR2" and "OmniSecuR3" is configured with "OmniSecuR1" as the NTP Time Server and synchronize it's time from "OmniSecuR1".
We have three routers; OmniSecuR1, OmniSecuR2 and OmniSecuR3. Here OmniSecuR1 is configured to synchronize its time with public NTP server pools pool.ntp.org and asia.pool.ntp.org. Using a pool as NTP Server is the better option, becuase pool is a cluster of NTP Time Servers. If one NTP server is failed, other server is available to provide time.
Click the following links to find FQDNs / IP Addresses of public NTP pools, Stratum-1 NTP Servers and Stratum-2 NTP Servers.
How to configure Cisco Router/Switch to Synchronize time from an internet NTP Time Server
Step 1 - Before configuring NTP, make sure that all Cisco Routers, and Switches are configured with same timezone. Use the following commands to configure proper time zone in your Cisco Router or Switch. "+5 30" is the time zone which currently I am residing. You should change it according to your time zone.
OmniSecuR1#configure terminal OmniSecuR1(config)#clock timezone OmniTZ 5 30 OmniSecuR1(config)#exit OmniSecuR1#
OmniSecuR2#configure terminal OmniSecuR2(config)#clock timezone OmniTZ 5 30 OmniSecuR2(config)#exit OmniSecuR2#
OmniSecuR3#configure terminal OmniSecuR3(config)#clock timezone OmniTZ 5 30 OmniSecuR3(config)#exit OmniSecuR3#
Step 2 - Enable name resolution in Cisco Router "OmniSecuR1" and configure the Cisco Router "OmniSecuR1" to use 8.8.8.8 (Google public DNS Server) as the DNS Server. Use 192.168.1.1 as Gateway of last resort. Configure Gateway of last resort according to your network topology.
Enabling name resolution and configuring the Cisco Router / Switch with an IP address of a DNS Server is important, because we need to resolve the FQDN of NTP Server / Server Pool to an IP address. You can configure the IP Address of the NTP Server / Server Pool also. But, the NTP time synchronization will fail if the IP address of the NTP Server / Server Pool is changed.
OmniSecuR1#configure terminal OmniSecuR1(config)#ip domain-lookup OmniSecuR1(config)#ip name-server 8.8.8.8 OmniSecuR1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1 OmniSecuR1(config)#exit OmniSecuR1#
Step 3 - Check the current system time in the Cisco Router "OmniSecuR1" using "show clock detail" as shown below. You can see that NTP is not configured and output shows "No time source".
OmniSecuR1#show clock detail *00:02:03.383 UTC Mon Mar 1 1993 No time source
Step 4 - Instruct the Cisco Router OmniSecuR1 to use "pool.ntp.org" and "asia.pool.ntp.org" as NTP Servers. After the configuration, OmniSecuR1 will start synchronizing its time from NTP server pools "pool.ntp.org" and "asia.pool.ntp.org".
Click the following links to find FQDNs / IP Addresses of public NTP pools, Stratum-1 NTP Servers and Stratum-2 NTP Servers.
OmniSecuR1#configure terminal OmniSecuR1(config)#ntp server pool.ntp.org OmniSecuR1(config)#ntp server asia.pool.ntp.org OmniSecuR1(config)#exit OmniSecuR1#
Step 5 - Again check the system time in the Cisco Router "OmniSecuR1" using "show clock detail" as shown below. You can see that the output shows that "Time Source is NTP".
OmniSecuR1#show clock detail 13:42:25.914 UTC Fri Feb 7 2014 Time source is NTP
Step 6 - To verify the NTP configurations, you can use "show ntp status", "show ntp associations" and "show ntp associations detail" IOS commands as shown below. You can see that from the "show ntp status" the NTP Stratum of OmniSecuR1 is 3.
OmniSecuR1#show ntp status Clock is synchronized, stratum 3, reference is 120.88.46.10 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18 reference time is D69F6125.290AFFB6 (13:41:57.160 UTC Fri Feb 7 2014) clock offset is -10.1306 msec, root delay is 426.86 msec root dispersion is 85.34 msec, peer dispersion is 17.46 msec
OmniSecuR1#show ntp associations address ref clock st when poll reach delay offset disp *~120.88.46.10 10.84.87.146 2 26 64 377 287.9 -18.89 2.8 +~211.39.136.4 129.6.15.28 2 27 64 377 307.2 1.29 1.3 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
OmniSecuR1#show ntp associations detail 120.88.46.10 configured, our_master, sane, valid, stratum 2 ref ID 10.84.87.146, time D69F5B13.7AF0569D (13:16:03.480 UTC Fri Feb 7 2014) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 139.34 msec, root disp 48.25, reach 377, sync dist 266.373 delay 288.38 msec, offset -15.9754 msec, dispersion 4.27 precision 2**22, version 3 org time D69F61A4.FF260292 (13:44:04.996 UTC Fri Feb 7 2014) rcv time D69F61A5.2826CF84 (13:44:05.156 UTC Fri Feb 7 2014) xmt time D69F61A4.DE518D3D (13:44:04.868 UTC Fri Feb 7 2014) filtdelay = 288.38 287.90 288.76 287.52 287.67 288.31 287.64 288.13 filtoffset = -15.98 -18.89 -22.23 -21.55 -21.52 -21.66 -21.88 -22.08 filterror = 0.03 1.01 1.98 2.00 2.01 2.03 2.04 2.06 211.39.136.4 configured, selected, sane, valid, stratum 2 ref ID 129.6.15.28, time D69F5E3B.F7CAA190 (13:29:31.967 UTC Fri Feb 7 2014) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 191.28 msec, root disp 37.90, reach 377, sync dist 292.847 delay 307.59 msec, offset 6.7121 msec, dispersion 5.49 precision 2**20, version 3 org time D69F61A4.076AD5EA (13:44:04.028 UTC Fri Feb 7 2014) rcv time D69F61A4.2D126021 (13:44:04.176 UTC Fri Feb 7 2014) xmt time D69F61A3.DE531DC7 (13:44:03.868 UTC Fri Feb 7 2014) filtdelay = 307.59 315.54 307.16 307.98 308.15 307.19 307.88 308.59 filtoffset = 6.71 0.20 1.29 1.54 0.81 1.17 0.93 0.62 filterror = 0.03 1.01 1.98 2.00 2.01 2.03 2.04 2.06
How to configure a Cisco Router/Switch as an NTP Time Server
We have configured the internet facing router "OmniSecuR1" for NTP Time synchronization from public NTP Time Server Pools. Next task is to configure the "OmniSecuR1" as the NTP Time Server for internnal routers "OmniSecuR2" and "OmniSecuR3". To configure "OmniSecuR1" as the NTP Time server, follow these steps.
Step 1 - Create an Access Control List to specify which devices can allowed to get their time synchronized from the NTP Server.
OmniSecuR1(config)#access-list 10 permit 192.168.10.2 0.0.0.0 OmniSecuR1(config)#access-list 10 permit 192.168.10.6 0.0.0.0 OmniSecuR1(config)#exit OmniSecuR1#
Step 2 - Enable "OmniSecuR1" as NTP Time Server. Configure the Standard ACL number to specify which devices can allowed to get their time synchronized from the NTP Server. Configure the interface name as the source of NTP traffic.
OmniSecuR1#configure terminal OmniSecuR1(config)#ntp master 3 OmniSecuR1(config)#ntp access-group peer 10
OmniSecuR1(config)#ntp source loopback 0
OmniSecuR1(config)#exit OmniSecuR1#
Note:
peer - peer keyword allows time synchronization requests and control queries from another NTP devices, also allows the Cisco Router/Switch to synchronize itself using the time information from other devices configured in the ACL
serve - serve keyword allows time synchronization requests and control queries from another NTP devices, will not allow the Cisco Router/Switch to synchronize synchronize itself using the time information from other devices configured in the ACL
serve-only - serve-only keyword allows only time synchronization requests from other devices configured in the ACL
query-only - query-only keyword allows only NTP control queries from other devices configured in the ACL
How to configure internal Cisco Routers/Switches to synchronize clock from internal NTP Time Server
Now configure the internal Cisco Routers (OmniSecuR1 and OmniSecuR2) to get their clock syncronized from the Router "OmniSecuR1".
OmniSecuR2#configure terminal OmniSecuR2(config)#ntp server 192.168.10.50 OmniSecuR2(config)#exit OmniSecuR2#
OmniSecuR3#configure terminal OmniSecuR3(config)#ntp server 192.168.10.50 OmniSecuR3(config)#exit OmniSecuR3#