In this post I am going to write about how I setup a NTP (Network Timing Protocol) daemon (server) so that my GNS3 routers can use it to set their time.
I will be setting this up on the same Ubuntu machine that I use to set-up my free TACACS+ server as explained on a previous post [ref 2].
Okay basically the reason why we want to setup a NTP server is so that all our network devices(routers, switches etc) can synchronize their time correctly. So we want the time source to be reliable. There are a few public ntp servers out there that you can use. A simple google search such as “nsw public ntp servers” reveals some of the closest public NTP servers for the state I live in (NSW, Australia)
If you are want to familiarize yourself with the whole NTP concept and public NTP servers, I highly recommend this video by the Cisco master ‘Jimmy Ray Purser’: http://www.youtube.com/watch?v=xJEIIMe55d0
Initial Setup for Internet Connection
Let’s get started.. My Ubuntu machine is currently assigned a static IP address which it uses through the “Host Only” VMware network configuration. While this successfully connects the Ubuntu virtual machine with my GNS3 routers, this means I will not have a internet connection. We need an internet connection so we can get the correct time from our selected public NTP server.
There are a few ways which you can provide an internet connection to this VMware Ubuntu machine. The way I selected is to add a second network interface through VMware settings [ref 4]:
for this new Network Adaptor make sure you select NAT on the next screen as shown below:
Okay, now power on your machine. Your new network adaptor will appear as ‘eth1’ when you type ‘ifconfig’ on your terminal:
user@ubuntu:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:25:0d:12
inet addr:10.3.0.20 Bcast:10.3.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe25:d12/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:951 errors:0 dropped:0 overruns:0 frame:0
TX packets:256 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:89787 (89.7 KB) TX bytes:23108 (23.1 KB)
Interrupt:17 Base address:0x1080
eth1 Link encap:Ethernet HWaddr 00:0c:29:25:0d:1c
inet addr:192.168.206.136 Bcast:192.168.206.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe25:d1c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:877 errors:0 dropped:0 overruns:0 frame:0
TX packets:127 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:86622 (86.6 KB) TX bytes:18095 (18.0 KB)
Interrupt:16 Base address:0x1480
‘eth0’ is the interface that I am using to talk with my GNS3 routers. And the new ‘eth1’ interface its the one that should provide me with internet access as required.
Now remember, eth0 is still considered as your default network connection. So we must change it to use eth1. This can be done quite easily using the GUI.
Click on the Network Connection icon on the top-right hand corner of the screen 
And select ‘Edit connections’ from the menu:
It will show you your two network interfaces. We want to edit ‘eth0’ which was ‘Wired Connection 1’ . Select it and click ‘Edit’
On the next menu, switch over to the ‘IPV4 Settings’ tab. The IP address we see here is the one that I statically assigned to talk with GNS3. Click on the ‘Routes..’ button below:
On the next screen, we want to tick the ‘Use this connection only for resources on this Network’ checkbox:
Apply the settings and close the menus. Now restart your machine for the changes to take effect.
Now when you login to your machine again you will have internet connection. This is because now ‘eth1’ is considered as you default network.
root@ubuntu:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.206.2 0.0.0.0 UG 0 0 0 eth1
10.3.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
192.168.206.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1
So you can open up a browser and access a web page. Mind you pings to internet such as google.com should not be used to confirm connectivity. This is because I found that my host OS firewall and Security suit is blocking them anyway.
The cool thing is that now you have both an internet connection(through eth1) and a connection to GNS3 routers(through eth0).
You can confirm this by pinging your Router. And also on the router I made sure I can still access this host and especially confirm my TACACS+ server is still working
R1#ping 10.3.0.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/17/40 ms
R1#test aaa group tacacs+ admin cisco123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
Perfect! It still works 
NTP Server Setup
Now that we have the much needed internet connection setup, we can move onto setting up our NTP server.
For this I will use this valuable guide here as reference [ref 1]: http://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server
first let’s check a bit of info. about the NTP daemon we are about to install:
root@ubuntu:~# aptitude show ntp
Package: ntp
State: not installed
Version: 1:4.2.6.p3+dfsg-1ubuntu3.1
-- omitted --
Description: Network Time Protocol daemon and utility programs
NTP, the Network Time Protocol, is used to keep computer clocks accurate by
synchronizing them over the Internet or a local network, or by following an
accurate hardware receiver that interprets GPS, DCF-77, NIST or similar time
signals.
This package contains the NTP daemon and utility programs. An NTP daemon needs
to be running on each host that is to have its clock accuracy controlled by
NTP. The same NTP daemon is also used to provide NTP service to other hosts.
For more information about the NTP protocol and NTP server configuration and
operation, install the package "ntp-doc".
Homepage: http://support.ntp.org/
Looks like the package we’re looking for. Let’s go ahead and install it
root@ubuntu:~# aptitude install ntp
once it’s installed, let’s configure it by editing the ‘ntp.conf’ file
root@ubuntu:~# gedit /etc/ntp.conf
Inside this file we are going to specify our public NTP servers where we will be retrieving the time from. As I mentioned earlier, I found a few public NTP servers that are close to me through a google search.
I think the closest one I can have is the NTP server provided by my ISP. So I will be marking it as my ‘most promising one’ as mentioned in the article[ref 1]. To mark the most promising one we use the ‘iburst’ keyword. In the configuration file. You will find a few sample servers already mentioned in it. I replaced them with the my selected public NTP server list:
server time.iinet.net.au iburst
server 0.au.pool.ntp.org
server 1.au.pool.ntp.org
server 2.au.pool.ntp.org
server 3.au.pool.ntp.org
I enabled the stats logging so I can have a look at NTP stats. I can disable that later once I confirm everything is working well
# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/
The author of the above mentioned guide advises that we put the local machine as a default fall back server so the local time can be used when we have lost connection with the public NTP servers.
To do this we add a local loopback IP address at end of server list:
# Use Ubuntu's ntp server as a fallback.
# --> (I'll add When no other connection use the local-time)
server ntp.ubuntu.com
server 127.127.1.0
fudge 127.127.1.0 stratum 10
Now we restart the NTP daemon
root@ubuntu:~# /etc/init.d/ntp restart
* Stopping NTP server ntpd [ OK ]
* Starting NTP server ntpd [ OK ]
Now the ref. 1 guide says that if you tail the /var/log/syslog you will eventually see something like:
Jul 17 16:50:22 hostname ntpd[22402]: synchronized to 140.221.9.20, stratum 2
but I nothing like that happened with me. There was a user comment in the guide that mentioned
“..ntpd no longer reports synchronization in syslog, or anywhere else. This was relayed to me on the mailing list. Apparently, it was considered too "noisy". So, you should no longer use the "tail -f /var/log/syslog" command to look for entries of the type..”
I had to dig around the web a lot to find how I can confirm that NTP is working fine and talking with the specified servers.. obviously there is no straight forward way but I found a few suggestions:
root@ubuntu:/var/log/ntpstats# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*203.0.178.191 216.218.254.202 2 u 43 64 377 17.671 64.526 30.717
-203.26.72.7 203.192.179.99 3 u 18 64 377 29.185 26.600 23.687
+128.184.34.53 169.254.0.1 3 u 17 64 377 32.807 65.414 31.841
+202.191.108.73 47.187.174.51 2 u 13 64 377 38.822 47.019 24.448
-27.50.90.253 74.189.58.78 2 u 15 64 377 21.007 26.764 28.117
+91.189.89.199 193.79.237.14 2 u 4 64 377 304.509 65.568 46.936
127.127.1.0 .LOCL. 10 l 1455 64 0 0.000 0.000 0.000
note: you can also run ‘ntpq –c lpeer’ to view the names of remote hosts
[ref 3] suggests that if the ‘reach’ column is greater than ‘0’ then NTP is working fine.
Also remember that we allowed logging to /var/log/ntpstats/ ? If we go to that folder and view the files there you will see that there are constant updates.
For records I will also mention this article that lists a summary of the methods to test if NTP is working: http://informationsecuritytips.com/2010/04/commands-for-testing-ntp-connection-in-linux/
I’m pretty sure NTP is now working on my ubuntu machine. you can view the process by:
root@ubuntu:/var/log/ntpstats# ps aux | grep ntpd
ntp 3162 0.0 0.0 5752 2040 ? Ss 15:25 0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 117:127
root 3996 0.0 0.0 4380 832 pts/0 S+ 15:58 0:00 grep --color=auto ntpd
Configure Cisco devices to use NTP Server
Okay, now let’s move on to configure our Cisco devices to use this new NTP server. I will use the Cisco Configuration Professional (CCP) for this but I’ll show the configuration commands as well.
Open up CCP and connect to your router. Then go to Configure > Router > Time > NTP and SNTP and click on 'Add’ to add our new NTP server to the list. You will get the following screen. Here I’ll type in the details to connect to my NTP server
It will ask for confirmation of the config. commands to be delivered to Router. Click deliver to send the commands.
Here are the commands that it will send to the router. Instead of using CCP you can use those commands at the global configuration mode:
ntp update-calendar
ntp server 10.3.0.20 source FastEthernet3/0 prefer
We are almost done.. Now the moment of truth to confirm that our router is synchronizing with our new NTP server:
R1#sh ntp status
Clock is synchronized, stratum 4, reference is 10.3.0.20
nominal freq is 250.0000 Hz, actual freq is 250.0003 Hz, precision is 2**18
reference time is D61729B7.4539EC51 (05:57:11.270 UTC Sun Oct 27 2013)
clock offset is 29.0361 msec, root delay is 60.13 msec
root dispersion is 188.57 msec, peer dispersion is 40.04 msec
Hooray! It’s working.
You can view a bit more details similar to what we saw with ‘ntpq –pn’ earlier on our Ubuntu NTP server, with this command:
R1#sh ntp associations
address ref clock st when poll reach delay offset disp
~10.3.0.20 127.127.1.0 11 235 256 175 28.0 -2.47 381.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
Restrictions (optional)
As an optional step I went ahead and restricted the NTP clients just to 10.0.0./24 subnet (my GNS3 subnet). I did this by modifying the /etc/ntp.conf file:
# By default, exchange time with everybody, but don't allow configuration.
# restrict -4 default kod notrap nomodify nopeer noquery
# restrict -6 default kod notrap nomodify nopeer noquery
restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap
All done. I had to put quite a lot of effort first of all to get CCP running and then write this while I go setup the NTP server. But feels great now that it’s working..!
Hope this helps someone and if anyone reading this is also hoping to give this a try, please do let me know how you go.
My Resources & References:
Now to the next step. There is just a few simply things that are important to configure on your tacacs+ server. To do this, we go to our ubuntu VMware image running our tacacs+ server and edit the ‘/etc/tacacs+/tac_plus.conf’ file.We can edit it to set our options:
