Wednesday, 10 June 2020

Configuring Network Time Protocol (NTP) the Secured way in Cisco Routers and Switches (IOS, IOS-XE, IOS-XR, NX-OS)


Cisco IOS
e.g.
Vlan10 =  interface management vlan
NTP Server = 192.168.10.100

conf t
1. Configure ACL to deny NTP requests and query
access-list 100 remark to block NTP requests and query
access-list 100 deny   any

2. Configure ACL to allow only the NTP servers to peer or synch with
access-list 200 remark NTP to peer 
access-list 200 permit 192.168.10.100
access-list 200 deny  any

3. Configure NTP 
conf t
ntp source Vlan10
ntp access-group peer 200 
ntp access-group serve 100
ntp access-group serve-only 100
ntp access-group query-only 100
ntp update-calendar
ntp server 192.168.10.100

Cisco IOS-XE 

Loopback0=  source interface for NTP
NTP Server = 192.168.10.100

1. Configure ACL to deny NTP requests and query
ip access-list standard Deny-NTP-Servers
 deny   any

2. Configure ACL to allow only the NTP servers to peer or synch with
ip access-list standard Allow-NTP-Servers
 permit 192.168.10.100
 
3. Configure NTP
conf t
ntp source Loopback0
ntp access-group peer Allow-NTP-Servers
ntp access-group serve Deny-NTP-Servers
ntp access-group serve-only Deny-NTP-Servers
ntp access-group query-only Deny-NTP-Servers
ntp server 192.168.10.100

Verify:
show ntp association
show ntp status

Cisco IOS-XR

Loopback0=  source interface for NTP
NTP Server = 192.168.10.100

1st option:
1. Configure ACL to deny NTP requests and query
ipv4 access-list Deny-NTP-Servers
 10 remark ACL to block requests NTP servers
 20 deny ipv4 any any 

2. Configure ACL to allow only the NTP servers to peer or synch with
ipv4 access-list Allow-NTP-Servers
 10 remark NTP servers to peer and synch
 20 permit ipv4 host 192.168.10.100
 30 deny ipv4 any any

3. Configure NTP
configure
ntp server 192.168.10.100
ntp access-group ipv4 peer Allow-NTP-Servers
ntp access-group ipv4 serve Deny-NTP-Servers
ntp access-group ipv4 serve-only Deny-NTP-Servers
ntp access-group ipv4 query-only Deny-NTP-Servers
ntp source Loopback0
ntp update-calendar

(It will be something like this)
ntp
 server 192.168.10.100
 access-group ipv4 peer Allow-NTP-Servers
 access-group ipv4 serve Deny-NTP-Servers
 access-group ipv4 query-only Deny-NTP-Servers
 source Loopback0
 update-calendar

Cisco NX-OS (Nexus)

mgmt0 =  source interface for NTP
NTP Server = 192.168.10.100

1. Configure ACL to allow only the NTP servers to peer or synch with and deny everything
ip access-list ACL-VTY
  10 permit tcp 192.168.10.50/32 any eq 22
  100 permit udp 192.168.10.100/32 any eq ntp
  110 deny ip any any log

2. Configure the ACL in the management interface
interface mgmt0
  ip access-group ACL-VTY in
  vrf member management

line vty
    access-class ACL-VTY in

3. Configure NTP
ntp distribute
ntp server 192.168.10.100 use-vrf management
ntp source-interface  mgmt0
ntp commit


VERIFICATION:

CiscoDevice#show ntp status
Clock is synchronized, stratum 2, reference is 192.168.10.100
nominal freq is 250.0000 Hz, actual freq is 249.9955 Hz, precision is 2**20
ntp uptime is 645584404 (1/100 of seconds), resolution is 4016
reference time is E28AC896.7F0B30EE (10:48:54.496 SST Wed Jun 10 2020)
clock offset is 3.1247 msec, root delay is 0.55 msec
root dispersion is 36.20 msec, peer dispersion is 0.12 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000017836 s/s
system poll interval is 1024, last update was 2218 sec ago.

CiscoDevice#show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~192.168.10.100    .GPS.            1     87   1024   377  0.538   3.124  0.123
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured



No comments:

Post a Comment