Page 12-4
When planning your network, it is helpful to use the following general rules:
• It is usually not a good idea to synchronize a local time server with a peer (in other words,
a server at the same stratum), unless the latter is receiving time updates from a source that
has a lower stratum then from where the former is receiving time updates. This minimizes
common points of failure.
• Peer associations should only be configured between servers at the same stratum level.
Higher Strata should configure lower Strata, not the reverse.
• It is inadvisable to configure time servers in a domain to a single time source. Doing so
invites common points of failure.
NTP and Authentication
NTP is designed to use either DES or MD5 encryption authentication to prevent outside influ-
ence upon NTP timestamp information. This is done by using a key file. The key file is loaded
into the switch memory, and consists of a text file that lists key identifiers that correspond to
particular NTP entities.
If authentication is enabled on an
NTP switch, any NTP message sent to the switch must
contain the correct key ID in the message packet to use in decryption. Likewise, any message
sent from the authentication enabled switch will not be readable unless the receiving NTP
entity possesses the correct key ID.
Key files are created by a system administrator independent of the
NTP protocol, and then
placed in the switch memory. An example of a key file is show below:
1 N 29233e0461ecd6ae # des key in NTP format
2 M RIrop8KPPvQvYotM # md5 key as an ASCII random string
14 M sundial # md5 key as an ASCII string
15 A sundial # des key as an ASCII string
In a key file, the first token is the key number ID, the second is the key format, and the third
is the key itself. (The text following a “#” is not counted as part of the key, and is used
merely for description.) There are 4 key formats:
N Indicates a DES key written as a hex number, in NTP standard
format with the high order bit of each octet being the odd
parity bit.
M Indicates an MD5 key written as a 1 to 31 character ASCII string
with each character standing for a key octet.
A Indicates a DES key written as a 1 to 8 character string in 7-bit
ASCII format, where each character stands for a key octet string.
S Indicates a DES key written as a hex number in the DES stan-
dard format, with the low order bit of each octet being the odd
parity bit.
For information on activating authentication, specifying the location of a key file, and config-
uring key
IDs for switches, see the following sections:
• Configuring an NTP Client on page 12-6
• Configuring a New Peer Association on page 12-12
• Configuring a New Server on page 12-13
• Configuring a Broadcast Time Service on page 12-13