A typical Authenticated NTP configuration looks like this:
NTP Server
R1(config)# ntp master
R1(config)# ntp authentication-key 22 md5 SECRET-NTP-KEY
NTP Client:
R2(config)# ntp authenticate
R2(config)# ntp authentication-key 22 md5 SECRET-NTP-KEY
R2(config)# ntp trusted-key 22
R2(config)# ntp server 12.0.0.1 key 22
I'm confused about the individual purposes of each command in the Client configuration.
What does ntp authenticate do different from ntp trusted-key 22? In what cases would I have one command applied but not the other?
I understand ntp authenticate turns on NTP authentication, and ntp authentcation-key ## ... configures a specific authentication key. Then ntp server x.x.x.x key ## associates a particular key to a particular NTP Server. But why would it be necessary to then add an additional command to indicate you trust a particular authentication key (ntp trusted-key ...)?
Wouldn't simply having the key configured be sufficient to indicate that it is trusted?
Best Answer
With NTP, authentication is controlled by the requester. An NTP server cannot force authentication on NTP clients; it is happy to send out unauthenticated NTP to clients. A client must request NTP authentication, and it will reject unauthenticated NTP if it has requested authentication.
The
ntp mastercommand tells a device to be the master clock when an NTP source is not available. This is an oft misunderstood command that is rarely necessary.The
ntp authentication-keycommand merely sets up what the authentication key is. Notice that you set up the key on the server. If that command required authentication, then the NTP server would also require the authentication of its NTP server (NTP is layered).The
ntp authenticatecommand says that the NTP client will require authentication from its NTP server.The
ntp trusted-keycommand tells the client which of the configured keys to use.The
ntp servercommand tells the client which NTP server to use.Edit based on your comments:
I originally answered your question:
but that doesn't seem to really be your question.
If you are going to configure multiple NTP servers with different authentication keys, it will probably look something like this:
NTP Server 1:
NTP Server 2:
NTP Server 3:
NTP Client:
If you are going to configure multiple NTP servers with the same authentication keys, it will probably look something like this:
NTP Server 1:
NTP Server 2:
NTP Server 3:
NTP Client:
Having the NTP source based on the loopback is a good idea. If one link goes down, NTP can still be updated if the traffic can get to and from the server via a different path.
The
ntp trusted-key <key numbercommand will be used for commands on which you don't use the optionalkey <key number>for any of thentp server <server address> orntp peer ` commands.The
ntp source <interface>command will be used for commands on which you don't use the optionalsource <interface>for any of thentp server <server address> orntp peer ` commands.Edit 2:
The NTP configuration from lab tests (not performed by me, but by a group which tests all network hardware/software features) for routers with IOS 15.x that passed (the password and addresses were changed for protection):
Notice that the optional
key <key number>is not used on thentp server <server address>commands because the servers are configured with the same authentication key.