Technical Documentation

Example: Configuring NTP as a Single Time Source for Router Clock Synchronization

Debugging and troubleshooting are much easier when the timestamps in the log files of all routers are synchronized, because events that span the network can be correlated with synchronous entries in multiple logs. We strongly recommend using the Network Time Protocol (NTP) to synchronize the system clocks of routers and other network equipment.

By default, NTP operates in an entirely unauthenticated manner. If a malicious attempt to influence the accuracy of a router’s clock succeeds, it could have negative effects on system logging, make troubleshooting and intrusion detection more difficult, and impede other management functions.

The following sample configuration synchronizes all the routers in the network to a single time source. We recommend using authentication to make sure that the NTP peer is trusted. The boot-server statement identifies the server from which the initial time of day and date is obtained when the router boots. The server statement identifies the NTP server used for periodic time synchronization. The authentication-key statement specifies that an HMAC-Message Digest 5 (MD5) scheme should be used to hash the key value for authentication, which prevents the router from synchronizing with an attacker’s host posing as the time server.

[edit]system {ntp {authentication-key 2 type md5 value "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; # SECRET-DATAboot-server;server;}}

Published: 2010-04-26