Beruflich Dokumente
Kultur Dokumente
Linux
Cisco
Page 1 of 7
Forums
Newsletter
Guestbook
Utilities
Peekabot
Donations
N TP Tim e Se r ve r
Chapter 24
In This Chapter
Chapter 24
The NTP Server
Download and Install The NTP Package
The /etc/ntp.conf File
How To Get NTP Started
Testing And Troubleshooting NTP
Configuring Cisco Devices To Use An NTP Server
Firewalls and NTP
Configuring A Windows NTP Client
Conclusion
(c) Peter Harrison, www.linuxhomenetworking.com
===========================================
The Network Time Protocol (NTP) is a protocol used to help synchronize your Linux system's clock with an
accurate time source. There are that allow the general public to synchronize with them. They are divided into
two types:
Stratum 1: NTP sites using an atomic clock for timing.
Stratum 2: NTP sites with slightly less accurate time sources.
It is good practice to have at least one server on your network be the local time server for all your other
devices. This makes the correlation of system events on different systems much easier. It also reduces
Internet bandwidth usage due to NTP traffic and reduces the need to manage firewall rules for each NTP
client on your network. Sometimes, not all your servers will have Internet access; in such cases you'll need a
central server that all can access.
For a list of available Stratum 1 and 2 servers consult http://www.eecis.udel.edu/~mills/ntp/servers.html
http://www.linuxhomenetworking.com/linux-hn/ntp.htm
1/11/2005
Page 2 of 7
1.
2.
otherntp.server.org
ntp.research.gov
Restrict the type of access you allow these servers. In this example the servers are not allowed to
modify the run-time configuration or query your Linux NTP server.
restrict otherntp.server.org
restrict ntp.research.gov
The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP
address of the remote NTP servers.
3.
If this server is also going to provide time for other computers, such as PCs, other Linux servers and
networking devices, then you'll have to define the networks from which this server will accept NTP
synchronization requests. You do so with a modified restrict statement with the noquery replaced with
a notrust keyword. This allows the network to query your NTP server, but it won't be trusted to be a
source of NTP synchronization data. The syntax is:
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
In this case the mask statement has been expanded to include all 255 possible IP addresses on the
local network.
4.
We also want to make sure that localhost (the universal IP address used to refer to a Linux server
itself) has full access without any restricting keywords:
restrict 127.0.0.1
5.
Save the file and restart NTP for these settings to take effect.
You can now configure other Linux hosts on your network to synchronize with this new master NTP server
in a similar fashion.
http://www.linuxhomenetworking.com/linux-hn/ntp.htm
1/11/2005
Page 3 of 7
http://www.linuxhomenetworking.com/linux-hn/ntp.htm
1/11/2005
Page 4 of 7
The date was originally set to midnight which was verified by using the date command.
[root@smallfry tmp]# date
Thu Aug 12 00:00:00 PDT 2004
[root@smallfry tmp]#
The ntpdate command is run three times to synchronize smallfry's clock to server
192.168.1.100, but it must be run while the ntpd process is stopped. So you'll have to stop ntpd,
run ntpdate and then start ntpd again.
http://www.linuxhomenetworking.com/linux-hn/ntp.htm
1/11/2005
Page 5 of 7
Older versions of the NTP package that don't work correctly if you use the DNS name for the NTP
servers. In these cases you will want to use the actual IP addresses instead.
A firewall blocking access to your Stratum 1 and 2 NTP servers. This could be located on one of the
networks between the NTP server and its time source, or firewall software such as iptables could
be running on the server itself.
The notrust nomodify notrap keywords are present in the restrict statement for the NTP
client. In some versions of the Fedora Core 2's implementation of NTP, clients will not be able to
synchronize with a Fedora Core 2 time server unless the notrust nomodify notrap keywords
are removed from the NTP client's restrict statement.
In this example the restrict statement has only the client network defined without any keywords and
the configuration line that works with other NTP versions has been commented out:
# -- CLIENT NETWORK ------#restrict 172.16.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 172.16.1.0 mask 255.255.255.0
http://www.linuxhomenetworking.com/linux-hn/ntp.htm
1/11/2005
Page 6 of 7
Cisco IOS
To make your router synchronize with NTP servers with IP addresses 192.168.1.100 and
192.168.1.201, use the commands:
ciscorouter> enable
password: *********
ciscorouter# config t
ciscorouter(config)# ntp update-calendar
ciscorouter(config)# ntp server 192.168.1.100
ciscorouter(config)# ntp server 192.168.1.201
ciscorouter(config)# exit
ciscorouter# wr mem
The ntp server command forms a server association with another system, and ntp updatecalendar configures the system to update its hardware clock from the software clock at periodic
intervals.
CAT OS
To make your router synchronize with NTP servers with IP addresses 192.168.1.100 and
192.168.1.201, use the commands:
ciscoswitch> enable
password: *********
ciscoswitch# set ntp client enable
ciscoswitch# ntp server 192.168.1.100
ciscoswitch# ntp server 192.168.1.201
ciscoswitch# exit
The ntp server command forms a server association with another system, and set ntp client
enable activates the NTP client.
http://www.linuxhomenetworking.com/linux-hn/ntp.htm
1/11/2005
Page 7 of 7
6.
Click on the time at the bottom right hand side of your screen.
7.
8.
Click the check box labeled "Automatically synchronize with an Internet time server" and enter the
name or IP address in the box underneath it.
9.
You will get a message saying "Your time has been successfully synchronized" when the operation is
complete.
Conclusion
It is important that all the systems under your control have the same accurate time. It can help to give a very
clear indication of a chain of events that involve multiple devices and it can also help in the synchronization
of time sensitive-transactions.
Having an NTP server on your local network can make this easier to do. Sometimes it isn't desirable for all
your NTP clients to have access to the Internet to synchronize with stratum 1 and 2 servers, even when
they all have access there is the risk of them losing synchronization if the central connection to the Internet
is lost. The maintenance of firewall rules for multiple NTP connections to the Internet can also be daunting
especially if the management of the firewall is handled by another group.
A local NTP server can ensure that the clients all have the same time relative to the server even when
Internet connectivity is temporarily lost thereby reducing the problems of them being out of synchronization
with each other. The firewall rules can also be greatly simplified. A local NTP server is frequently a good
thing to have for these reasons.
http://www.linuxhomenetworking.com/linux-hn/ntp.htm
1/11/2005