Network Time Protocol (NTP) services are enabled on all interfaces by default. The optional tasks you can perform are documented in the following sections:
Configuring NTP Authentication
If you want to authenticate the associations with other systems for security purposes, use the commands that follow. The first command enables the NTP authentication feature. The second command defines each of the authentication keys. Each key has a key number, a type, and a value. Currently the only key type supported is md5. Third, a list of "trusted" authentication keys is defined. If a key is trusted, this system will be ready to synchronize to a system that uses this key in its NTP packets.
To configure NTP authentication, use the following commands in global configuration mode:
Configuring NTP Associations
An NTP association can be a peer association (meaning that this system is willing to either synchronize to the other system or to allow the other system to synchronize to it), or it can be a server association (meaning that only this system will synchronize to the other system, and not the other way around). If you want to form an NTP association with another system, use one of the following commands in global configuration mode:
Note that only one end of an association needs to be configured; the other system will automatically establish the association.
See the example titled "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Configuring NTP Broadcast Service
The system can either send broadcast packets or listen to them on an interface-by-interface basis. The estimated round-trip delay for broadcast packets can also be configured. Use one or more of the following commands in global configuration mode if you want to use NTP's broadcast feature:
Command
|
Purpose
|
|---|---|
ntp broadcast [version number]
|
Sends NTP broadcast packets.
|
ntp broadcast client
|
Receives NTP broadcast packets.
|
ntp broadcastdelay microseconds
|
Adjusts estimated delay.
|
See the example titled "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Configuring NTP Access Restrictions
You can control NTP access on two levels by completing the tasks in the following sections:
Creating an Access Group and Assign a Basic IP Access List to It
To control access to NTP services, you can create an NTP access group and apply a basic IP access list to it. To do so, use the following command in global configuration mode:
Command
|
Purpose
|
|---|---|
ntp access-group {query-only | serve-only |serve | peer} access-list-number
|
Creates an access group and applies a basic IP access list to it.
|
The access group options are scanned in the following order, from least restrictive to most restrictive:
1. 
peer—Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.
peer—Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.
2. serve—Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.
serve—Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.
3. serve-only—Allows only time requests from a system whose address passes the access list criteria.
serve-only—Allows only time requests from a system whose address passes the access list criteria.
4. query-only—Allows only NTP control queries from a system whose address passes the access list criteria.
query-only—Allows only NTP control queries from a system whose address passes the access list criteria.
If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types will be granted.
For details on NTP control queries, see RFC 1305 (NTP version 3).
Disabling NTP Services on a Specific Interface
NTP services are enabled on all interfaces by default. You can disable NTP packets from being received through an interface by using the following command in interface configuration mode:
Configuring the Source IP Address for NTP Packets
When the system sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the following command in global configuration mode if you want to configure a specific interface from which the IP source address will be taken:
Command
|
Purpose
|
|---|---|
ntp source interface
|
Configures an interface from which the IP source address will be taken.
|
This interface will be used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source parameter on the ntp peer or ntp server command shown earlier in this chapter.
Configuring the System as an Authoritative NTP Server
Use the following command in global configuration mode if you want the system to be an authoritative NTP server, even if the system is not synchronized to an outside time source:
Caution Use this command with extreme caution. It is very easy to override valid time sources using this command, especially if a low stratum number is configured. Configuring multiple machines in the same network with the ntp master command can cause instability in timekeeping if the machines do not agree on the time.
Use this command with extreme caution. It is very easy to override valid time sources using this command, especially if a low stratum number is configured. Configuring multiple machines in the same network with the ntp master command can cause instability in timekeeping if the machines do not agree on the time.
For an example of configuring an authoritative NTP server, see the section "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Configuring NTP to Update the Calendar
On systems which have calendars, you can configure NTP to periodically update the calendar.
Use the following command in global configuration mode if the system is synchronized to an outside time source via NTP and you want the system calendar to be synchronized periodically to NTP time:
For an example of configuring NTP to update the calendar, see the section "Clock, Calendar, and NTP Configuration Examples" at the end of this chapter.
Configuring SNTP
SNTP is disabled by default. In order to enable SNTP on a Cisco 1003, Cisco 1004, Cisco 1005, Cisco 1600, Cisco 1720, or Cisco 1750 router, use one or both of the following commands in global configuration mode:
Enter the sntp server command once for each NTP server. The NTP servers must be configured to respond to the SNTP messages from the router.
If you enter both the sntp server command and the sntp broadcast client command, the router will accept time from a broadcast server but prefers time from a configured server, assuming the strata are equal. To display information about SNTP, use the show sntp EXEC command.
