Using a Cisco router as a central NTP server

Ralph's recent post entitled How to time-sync your Debian server reminded me of a handy but overlooked feature of most Cisco routers -- they will act as NTP time servers. I have configured Cisco routers to act as centralized NTP servers on several occasions. My philosophy in doing so has always been:

• Cisco's NTP implementation is very easy to configure, and will handle NTP and SNTP requests out of the box.
  
  
• Cisco hardware generally contains very accurate clocks, so time drift is minimal.
  
  
• I like to be a little different.

If you'd like to be a little different as well, here's how you can configure most Cisco routers to act as a simple, accurate, and effective NTP time server. I have used this procedure on Cisco 2600 and 7500 series routers. I believe it will work on any series other than 1600 and 1700 series routers.

Step 1: Configure NTP sources on your router

First, you will want to connect to your router console. You can do this with telnet, SSH, or directly via a serial console. You will want to be in your router's enable mode.

Once at your enable prompt, it's time to set some NTP sources:

router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)# ntp server 192.5.41.40
router(config)# ntp server 132.163.4.103

Note: The two IP addresses listed above are "stratum 1" time servers that I have had good luck with. You may wish to google for NTP servers that are closer to your geographic area, or use pool.ntp.org.

Step 2: Secure your new NTP server

If your router is connected to the public Internet, you may wish to limit who can talk to your NTP server. You can do this by creating an Access Control List (ACL).

The following commands will block any requests from any IP address except those in the range 192.168.0.0 - 192.168.0.255:

router(config)# access-group 10 permit 182.168.0.0 0.0.0.255
router(config)# ntp access-group peer 10
router(config)# exit

Step 3: Verify correct operation of your new NTP server

You can use the command show ntp associations to confirm that your router is properly synchronizing with the NTP sources you specified in step 1. Since I cannot get output to wrap correctly here, I will say that if you see lots of random numbers for each peer, things are working. If you see dashes and zeroes for a peer, it is not synchronizing. Peers that do not synchronize after 5-10 minutes should be removed and replaced with a different peer.

You should also confirm that your router is responding to NTP requests. From a Linux machine, the following command confirms that NTP is working properly. You would, of course, want to replace the IP address with the IP of your router.

[root@server ~]# ntpdate -q 192.168.0.1
server 192.168.0.1, stratum 2, offset -0.000583, delay 0.04314

Step 4: Configure some NTP clients

Once the above is completed, you should have a fully functioning NTP and SNTP server. Wasn't that easy?!

Most other devices and operating systems support NTP or SNTP, you will want to refer to the documentation on how to configure an NTP or "Internet Time" server for synchronization. For Linux clients, you will want to add your new NTP server to /etc/ntp.conf. For Windows servers, you will want to look under Internet Time under your time settings.