We are going to configure NTP Authentication on router R5 and R6 with router R5 being the time server.
Configure such that router R6 has a stratum level of 5. Use the password ‘time’ for your authentication.
For this step we are going to configure R5 to be our NTP master.
We are then going to configure R6 to use R5 as its authenticated time server.
First we will set the clock on R5.
This is done under the enable mode, not under the config mode. Remember that the time is entered as military time, based on a 24 hour clock.
R5#clock set 13:39:00 1 Aug 2007
Now that the clock is set we want R5 to act as the NTP master. We are told that R6 should have a stratum of 5. In order for R6 to have a stratum of 5 our master will need a stratum of 4. Anyone who gets the time off of the master will have the master’s stratum plus 1.
R5(config)#ntp master 4
Then we are going to set R6 to use R5 as its time server. We can point to any reachable IP address on R5, we suggest that you use a Loopback interface if possible since Loopbacks never flap.
R6(config)#ntp server 126.96.36.199
We do not have any authentication configured yet, but we should check to make sure our NTP is synchronized before adding it.
We can check to make sure R6 is synchronized with R5 by issuing the show ntp status command.
R6#show ntp status Clock is synchronized, stratum 5, reference is 188.8.131.52 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18 reference time is CA5B0BC7.0E24598C (13:40:23.055 UTC Wed Aug 1 2007) clock offset is -0.6770 msec, root delay is 89.63 msec root dispersion is 3.30 msec, peer dispersion is 2.58 msec
Now that we know our NTP is synchronizing we can go ahead and add the authentication. NTP authentication is a little different than most. For NTP authentication it is the client that authenticates the master, not the other way around. The master only need to be told the authentication-key that it will use and nothing else. We will configure the authentication-key on R5 using the specified password of ‘time’.
R5(config)#ntp authentication-key 1 md5 time
The majority of the authentication commands go on the client, R6. We need to tell R6 to authenticate and what authentication-key to use
R6(config)#ntp authenticate R6(config)#ntp authentication-key 1 md5 time
We then need to tell R6 to only accept the server if it uses key 1 – the same key number we are specifying in the authentication-key command. This command will override the original ntp server 184.108.40.206 command.
R6(config)#ntp server 220.127.116.11 key 1
Finally on R6 we need to tell it to only trust key 1.
R6(config)#ntp trusted-key 1
Now that we have our NTP authentication configured we can check to make sure it is working by issuing the show ntp associations detail command on R6.
R6#show ntp associations detail 18.104.22.168 configured, authenticated, our_master, sane, valid, stratum 16 ref ID 127.127.7.1, time CA5B0BED.06292161 (13:41:01.024 UTC Wed Aug 1 2007) our mode client, peer mode server, our poll intvl 128, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 376, sync dist 48.813 delay 89.68 msec, offset -4.3660 msec, dispersion 3.95 precision 2**18, version 3 org time CA5B0C47.05C2F056 (13:42:31.022 UTC Wed Aug 1 2007) rcv time CA5B0C47.1B3444A9 (13:42:31.106 UTC Wed Aug 1 2007) xmt time CA5B0C46.F706E1D6 (13:42:30.964 UTC Wed Aug 1 2007) filtdelay = 89.68 89.63 89.84 118.70 114.38 93.61 110.18 108.02 filtoffset = -4.37 -0.68 -0.85 -14.94 -12.91 -2.53 9.75 -9.48 filterror = 0.03 1.01 1.02 1.04 1.05 1.07 1.08 1.10