12-1. Synchronizing the IOS Firewall Clock A Cisco IOS firewall keeps an internal system clock that can be used for Syslog time stamps, certificate time stamps, and so on. When an IOS firewall router is initialized, the system time is set from a hardware time clock (system calendar) in the router. The clock is powered by a battery in the absence of regular power. The system clock is always based on Coordinated Universal Time (UTC). UTC was previously known as Greenwich Mean Time (GMT). You can set the system time using two different approaches: Manually You set the time and date on the firewall along with the time zone and specify whether to observe daylight savings time. With manual configuration, the firewall clock is only as accurate as the internal clock hardware. Using Network Time Protocol (NTP) This is a protocol defined by RFC 1305 that provides a mechanism for the devices in the network to get their time from an NTP server. With NTP, all the devices are synchronized to a common, trusted source and keep very accurate time. NTP uses the concept of stratum to determine how close an NTP server is to an authoritative time source (an atomic or radio clock). Stratum 1 means that an NTP server is directly connected to an authoritative time source. NTP also compares the times reported from all configured NTP peers (at least three of them) and does not listen to a peer that has a significantly different time. NTP associations with other NTP peers can be protected through an encrypted authentication. TIP NTP version 3 is based on RFC 1305 and uses UDP port 123. Information about public NTP servers and other NTP subjects can be found at http://www.ntp.org. You can also use a commercial product as your own stratum 1 time source. For example, Symmetricom (http://www.ntp-systems.com/products.asp) offers several NTP time servers that are based on Global Positioning Satellite (GPS) signals. Setting the Clock Manually You can use the following steps to configure the router's clock through the command-line interface. After the clock is set, it is free-running until you manually intervene. 1. | (Optional) Identify the time zone:
IOSFirewall(config)# clock timezone zone hrs-offset min-offset The time zone is set to the abbreviated name zone (an arbitrary text string such as EST, PST, or CET). This name is used only for display purposes. It can be any common zone name. The actual displayed time is defined by an offset in hours (hrs-offset) and, optionally, minutes (min-offset) from UTC. For example, Eastern Standard Time in the U.S. is 5 hours behind UTC and would be configured as follows:
IOSFirewall(config)# clock timezone EST -5
| 2. | (Optional) Set daylight savings time (summer time) parameters.
Use the following command if daylight savings time recurs at regular intervals: IOSFirewall(config)# clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]
If daylight savings time begins and ends on a certain day and week of a month, you can use this command. The name of the daylight savings time zone is given as zone (an arbitrary name or abbreviation, such as EDT). The week number week (1 to 4 or the words "first" and "last"), the name of the weekday, the name of the month (only the first three letters matter), and the time hh:mm in 24-hour format can all be given to start and stop daylight savings time. The offset value gives the number of minutes to add during daylight savings time (the default is 60 minutes). For example, daylight savings time in the U.S. begins at 2 a.m. on the first Sunday in April and ends at 2 a.m. on the last Sunday in October. You could define it with this command: IOSFirewall(config)# clock summer-time EDT recurring first Sunday april 2:00 last Sunday oct 2:00 60
TIP You can use the recurring keyword with no other arguments for any location that follows the U.S. time zone rules. The correct begin and end dates are used automatically. For the preceding example, you could define daylight savings time as follows: IOSFirewall(config)# clock summer-time EDT recurring
Use the following command if daylight savings time occurs at specific times: IOSFirewall(config)# clock summer-time zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset]
You can use this command to specify the exact date and time that daylight savings time begins and ends in a given year. This is useful if the begin and end times change from year to year. Specify the year number as year (four digits, 1993 to 2035).
| 3. | Set the IOS firewall clock:
IOSFirewall# clock set hh:mm:ss {day month | month day} year The clock is set when this command is executed. The time is given in 24-hour format, day is the day number (1 to 31), month is the name of the month (only the first three letters are needed), and year is the full four-digit year. The day and month parameters can be reversed, according to what is customary.
TIP On most router platforms, the system clock operates on battery power when the router is powered off. Some platforms have a system clock that is set from a hardware calendar when the router is restarted. In those cases, the hardware calendar is powered from the battery. The system clock can be manually set from the hardware calendar using the clock read-calendar EXEC command. You can also set the hardware calendar so that it begins keeping accurate time. Use the following command: IOSFirewall# calendar set hh:mm:ss [day month | month day] year The hardware clock is set to the given time (24-hour format) and date. The month is the name of the month, day is the day number, and year is the full four-digit year. As an alternative, you can also set the system calendar from the system clock using the clock update-calendar EXEC command. | 4. | Verify the clock:
IOSFirewall# show clock [detail] This command displays the current time and date. If you use the detail keyword, the source of the time ("user configuration" is the internal battery-operated clock) and any daylight savings time definitions are shown, as in this example:
IOSFirewall# show clock detail 15:08:06.280 EST Fri Jan 21 2005 Time source is user configuration Summer time starts 02:00:00 EST Sun Apr 3 2005 Summer time ends 02:00:00 EDT Sun Oct 30 2005 IOSFirewall#
| Setting the Clock with NTP You can use the following steps to configure a router's clock to be automatically set and adjusted, based on one or more external time sources: 1. | (Optional) Use NTP authentication.
Enable NTP authentication: IOSFirewall(config)# ntp authenticate
Define an NTP authentication key: IOSFirewall(config)# ntp authentication-key key-id md5 value
An MD5 authentication key numbered key-id (an index, 1 to 4294967295) is created. The key is given a text-string value of up to eight cleartext characters. As soon as the configuration is written to Flash memory, the key value is displayed in its encrypted form. Repeat this command to configure multiple MD5 keys. Identify specific NTP keys to use: IOSFirewall(config)# ntp trusted-key key-id
You can define more than one MD5 key for NTP on your router. The key-id indices don't have to match between the router and its NTP peer, and one peer can have more keys defined than another. Therefore, the router must know which of the MD5 keys should be "trusted" or actively used. This command identifies that trusted key as key number key-id. You can repeat this command to identify more than one trusted key. This is useful if you want to migrate from one key to another. You can make the old and new keys trusted until the NTP peers have migrated to the new key.
| 2. | Identify an NTP server:
IOSFirewall(config)# ntp server ip_address [key number] [source if_name] [prefer] [version version] The local router attempts to synchronize its clock with the NTP server at ip-address. By default, NTP version 3 is used, with no NTP authentication. You can set the NTP version to version (1 to 3) to match the server. If NTP authentication is used, the MD5 key numbered key-id is used in the NTP exchanges.
By default, the outgoing router interface is used as the source address in NTP packets. You can override that with a specific interface module, type, and number as if_name.
You can also repeat this command to define multiple NTP servers. The router opens and maintains a connection to each of the configured peers. However, after a battery of tests, only a subset of them is eligible as accurate sources. The server tagged with the prefer keyword is tried first; if that one fails, the next best server is tried.
| 3. | Verify NTP operation.
Verify the current NTP status: IOSFirewall# show ntp status
NTP should be in the synchronized state if the firewall has successfully authenticated and exchanged information with at least one NTP server. This command shows this in the first line of output, as in the following example. Notice that the firewall has become a stratum 4 time source itself, deriving its time information from a higher (lower-stratum) authority: IOSFirewall# show ntp status Clock is synchronized, stratum 4, reference is 192.168.254.4 nominal freq is 250.0000 Hz, actual freq is 249.9953 Hz, precision is 2**18 reference time is C3F90E14.5C9E3E43 (22:46:28.361 EST Tue Mar 9 2004) clock offset is -0.0017 msec, root delay is 116.44 msec root dispersion is 27.54 msec, peer dispersion is 0.55 msec IOSFirewall#
If the clock is unsynchronized, the IOS firewall has not yet authenticated or synchronized its time clock with an NTP server. Keep checking the status every minute or so to see if the clock becomes synchronized. View all NTP server associations: IOSFirewall# show ntp associations [detail]
The IOS firewall clock becomes synchronized with only one NTP server; however, it keeps an association with each NTP server that is configured. NTP continuously compares clock information from all known servers so that it can maintain the most accurate time. In the following example, the firewall has associations with two NTP servers: IOSFirewall# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.89.253 198.82.162.213 3 119 128 377 0.9 0.22 0.3 +~192.168.89.254 198.82.162.213 3 65 128 377 0.8 -0.31 0.1 * master (synced), # master (unsynced), + selected, - candidate, ~ configured IOSFirewall#
Notice that the two NTP servers are shown (each is stratum 3), along with the reference clock that each uses. You can add the detail keyword to see the NTP algorithm parameters in great detail, as well as the status of NTP peer authentication.
| NTP Example In the following example, NTP is configured for authentication. The local router uses two NTP servers to synchronize its system clock. The servers require NTP authentication. One key, sourceA, authenticates a peer at 172.17.76.247, and another key, sourceB, authenticates a peer at 172.31.31.1: IOSFirewall(config)# ntp authenticate IOSFirewall(config)# ntp authentication-key 1 md5 sourceA IOSFirewall(config)# ntp authentication-key 2 md5 sourceB IOSFirewall(config)# ntp server 172.17.76.247 key 1 prefer IOSFirewall(config)# ntp server 172.31.31.1 key 2 |