The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients so that users can correlate events when they receive system logs and other time-specific events from multiple network devices.
Time synchronization can be authenticated to ensure that the local router or switch obtains its time services only from known sources. However, by default, network time synchronization is unauthenticated wherein the system will synchronize to whatever system appears to have the most accurate time.
Authentication is the line of defense used by NTP to thwart tampering of timestamps logged by devices. Contrary to common misconception, the purpose of NTP authentication is to verify a time source, not a client. Also, when multiple servers are used for this purpose, it is done so in order to maintain redundancy so that there is no single point of failure that affects the system at any time. Given this, it is recommended that users configure authentication of network time services to take advantage of the benefits.
This article details the recommended NTP configuration to use when there are multiple NTP servers.
Where multiple NTP servers are used for clock synchronization, after configuring the authentication key for a single server, the clock gets synched and starts sending authenticated packets to a single server. This situation arises due to NTP being configured globally. This, in turn, redirects the flow of all authenticated packets towards a single server and does not serve redundancy.
The above situation can arise if the following two conditions are met:
-
NTP authentication is configured and applied globally.
-
More than one NTP servers are configured.
When there are multiple servers, to prevent redirection of all authenticated packets to a single server, configure individual keys on each NTP server.
For configuration details, refer to Configuring the NTP Time Server and Time Services.
A snippet of configuration with two NTP servers is displayed below:
jtac@mx104# show system ntp
Feb 25 13:56:59
boot-server 192.168.1.1;
authentication-key 1 type md5 value "$ABC123"; ## SECRET-DATA
server 192.168.1.1 key 1 prefer; ## SECRET-DATA
server 192.168.10.1 key 1 prefer; ## SECRET-DATA
trusted-key 1;
source-address 10.64.229.136;
jtac@mx104# run show configuration system ntp | display set
Feb 25 14:08:18
set system ntp boot-server 192.168.1.1
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$ABC123"
set system ntp server 192.168.1.1 key 1
set system ntp server 192.168.1.1 prefer
set system ntp server 192.168.10.1 key 1
set system ntp server 192.168.10.1 prefer
set system ntp trusted-key 1
set system ntp source-address 10.64.229.136
jtac@mx104# run show ntp associations
Feb 25 14:09:10
remote refid st t when poll reach delay offset jitter
===============================================================================
192.168.1.1 .GPGL. 1 - 5 64 1 0.002 404.719 0.014
*192.168.10.1 .GPS. 1 - 4 64 1 0.501 -0.025 0.054
jtac@mx104# run show ntp associations
Feb 25 14:22:18
remote refid st t when poll reach delay offset jitter
===============================================================================
x192.168.1.1 .GPGL. 1 - 22 64 377 0.002 404.481 0.080
x192.168.10.1 .GPS. 1 - 14 64 377 0.487 -0.214 0.110
{MASTER}[edit]
jtac@mx104#
jtac@mx104# run show ntp associations
Feb 25 14:22:19
remote refid st t when poll reach delay offset jitter
===============================================================================
x192.168.1.1 .GPGL. 1 - 23 64 377 0.002 404.481 0.080
x192.168.10.1 .GPS. 1 - 15 64 377 0.487 -0.214 0.110