Cisco Catalyst 9200 Configuration Manual page 19

Administering the Device
A networking device operating in the broadcast client mode does not engage in any polling. Instead, it listens
for NTP broadcast packets that are transmitted by broadcast time servers. Consequently, time accuracy can
be marginally reduced because time information flows only one way.
Use the ntp broadcast client command to set your networking device to listen for NTP broadcast packets
propagated through a network. For broadcast client mode to work, the broadcast server and its clients must
be located on the same subnet. You must enable the time server that transmits NTP broadcast packets on the
interface of the given device by using the ntp broadcast command.
NTP Security
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based
restriction scheme and an encrypted authentication mechanism.
NTP Access Group
The access list-based restriction scheme allows you to grant or deny certain access privileges to an entire
network, a subnet within a network, or a host within a subnet. To define an NTP access group, use the ntp
access-group command in global configuration mode.
The access group options are scanned in the following order, from least restrictive to the most restrictive:
1. ipv4 —Configures IPv4 access lists.
2. ipv6 —Configures IPv6 access lists.
3. peer —Allows time requests and NTP control queries, and allows the system to synchronize itself to a
system whose address passes the access list criteria.
4. serve —Allows time requests and NTP control queries, but does not allow the system to synchronize itself
to a system whose address passes the access list criteria.
5. serve-only —Allows only time requests from a system whose address passes the access list criteria.
6. query-only —Allows only NTP control queries from a system whose address passes the access list criteria.
If the source IP address matches the access lists for more than one access type, the first type is granted access.
If no access groups are specified, all access types are granted access to all systems. If any access groups are
specified, only the specified access types will be granted access.
For details on NTP control queries, see RFC 1305 (NTP Version 3).
The encrypted NTP authentication scheme should be used when a reliable form of access control is required.
Unlike the access list-based restriction scheme that is based on IP addresses, the encrypted authentication
scheme uses authentication keys and an authentication process to determine if NTP synchronization packets
sent by designated peers or servers on a local network are deemed as trusted before the time information that
they carry along with them is accepted.
The authentication process begins from the moment an NTP packet is created. Cryptographic checksum keys
are generated using the message digest algorithm 5 (MD5) and are embedded into the NTP synchronization
packet that is sent to a receiving client. Once a packet is received by a client, its cryptographic checksum key
is decrypted and checked against a list of trusted keys. If the packet contains a matching authentication key,
the time-stamp information that is contained within the packet is accepted by the receiving client. NTP
synchronization packets that do not contain a matching authenticator key are ignored.
System Management Configuration Guide, Cisco IOS XE Gibraltar 16.10.x (Catalyst 9200 Switches)
NTP Security
5