NTP authentication - cisco

We are trying to set up NTP authentication on our cisco devices and our linux machines.

Our cisco router is the time source, it gets its time from another server in corporate without authentication.

What we need is for our cisco router to get its time from the corporate source WITHOUT authentication, but server time to our internal switches and linux servers WITH authentication.

I am attaching a VERY crude drawing to help explain what we need.

I need to know how to configure our router to get unauthenticated ntp time from a source, but authenticate anything it servers out.  Does this make sense?

I am told by the Cisco guy that our router is a 6504
LVL 23
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
in ntp world the client authenticates the server.  the server never authenticates the clients.
savoneAuthor Commented:
I appreciate your comments but neither help me.  

Is it possible to have the network set up like the ugly drawing I posted?

Our router needs to get unauthenticated ntp data and needs to give authenticated data to the rest of the devices on the network.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

let's simplify
the router is a ntp client (not authenticated)
the router is a ntp server that atuthenticates the messages with a key.

ntp client & ntp server are two separate processes.
it is possible to do it.
you need to configure the router as ntp client and then as ntp master with the desired keys.
savoneAuthor Commented:
Thanks DanJ, that is exactly what I need.  Unfortunately I am a linux administrator and that is how I understand that they are two separate processes (in linux ntpd for server and ntpdate for client).

The problem I am having is the cisco guy at work does not understand this.  I was tasked with setting up ntp authentication on all our linux servers.  Unfortunately our ntp servers are cisco devices and I have no control over them, or the source they receive their ntp data from.  So I asked the cisco guy to setup the exact thing you mentioned above.  And after 15 tries he is yet to get it right.

I was hoping you (or someone) would give me the exact commands, or close so I can pass the information off to someone with cisco enable access.

Marius GunnerudSenior Systems EngineerCommented:
ntp server:

ntp host x.x.x.x (where x.x.x.x is the update source for your ntp server...not needed though)
ntp authenticate
ntp authentication-key 1 md5 <password>

ntp client:

ntp authenticate
ntp authentication-key 1 md5 <password>
ntp host y.y.y.y key 1 (where y.y.y.y is the ip address of the server)

you can lock down the ntp further by only allowing those specific ntp clients to update by use of ACLs.
this is the configuration for the router

ntp authentication key 11 md5 NTPKEY
ntp trusted-key 11
ntp server x.x.x.x (where x.x.x.x is the outside source)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
for all other devices

ntp authentication key 11 md5 NTPKEY
ntp trusted-key 11
ntp server x.x.x.x (where x.x.x.x is the 6500 chassis)
ntp authenticate
savoneAuthor Commented:
Thanks, it is working now!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.