The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Network Time Protocol (NTP) is a protocol designed to time-synchronize devices within a network. Cisco IOS XR software implements NTPv4. NTPv4 retains backwards compatibility with the older versions of NTP, including NTPv3 and NTPv2 but excluding NTPv1, which has been discontinued due to security vulnerabilities.
This module describes the tasks you need to implement NTP on the Cisco IOS XR software.
For more information about NTP on the Cisco IOS XR software and complete descriptions of the NTP commands listed in this module, see Related Documents. To locate documentation for other commands that might appear in the course of running a configuration task, search online in .
Release |
Modification |
---|---|
Release 5.0.0 |
This feature was introduced. |
This module contains the following topics:
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
NTP synchronizes timekeeping among a set of distributed time servers and clients. This synchronization allows events to be correlated when system logs are created and other time-specific events occur.
NTP uses the User Datagram Protocol (UDP) as its transport protocol. All NTP communication uses Coordinated Universal Time (UTC). An NTP network usually receives its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each other.
NTP uses the concept of a “stratum” to describe how many NTP “hops” away a machine is from an authoritative time source. A “stratum 1” time server typically has an authoritative time source (such as a radio or atomic clock, or a GPS time source) directly attached, a “stratum 2” time server receives its time via NTP from a “stratum 1” time server, and so on.
NTP avoids synchronizing to a machine whose time may not be accurate, in two ways. First, NTP never synchronizes to a machine that is not synchronized itself. Second, NTP compares the time reported by several machines and does not synchronize to a machine whose time is significantly different than the others, even if its stratum is lower. This strategy effectively builds a self-organizing tree of NTP servers.
The Cisco implementation of NTP does not support stratum 1 service; in other words, it is not possible to connect to a radio or atomic clock (for some specific platforms, however, you can connect a GPS time-source device). We recommend that time service for your network be derived from the public NTP servers available in the IP Internet.
If the network is isolated from the Internet, the Cisco implementation of NTP allows a machine to be configured so that it acts as though it is synchronized via NTP, when in fact it has determined the time using other means. Other machines can then synchronize to that machine via NTP.
Several manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software also allows UNIX-derivative servers to acquire the time directly from an atomic clock, which would subsequently propagate time information along to Cisco routers.
The communications between machines running NTP (known as associations) are usually statically configured; each machine is given the IP address of all machines with which it should form associations. Accurate timekeeping is made possible by exchanging NTP messages between each pair of machines with an association.
In a LAN environment, NTP can be configured to use IP broadcast messages. As compared to polling, IP broadcast messages reduce configuration complexity, because each machine can simply be configured to send or receive broadcast or multicast messages. However, the accuracy of timekeeping is marginally reduced because the information flow is one-way only.
An NTP broadcast client listens for broadcast messages sent by an NTP broadcast server at a designated IPv4 address. The client synchronizes the local clock using the first received broadcast message.
The time kept on a machine is a critical resource, so we strongly recommend that you use the security features of NTP to avoid the accidental or malicious setting of incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.
When multiple sources of time (VINES, hardware clock, manual configuration) are available, NTP is always considered to be more authoritative. NTP time overrides the time set by any other method.
How to Implement NTP
Note | No specific command enables NTP; the first NTP configuration command that you issue enables NTP. |
You can configure the following types of poll-based associations between the router and other devices (which may also be routers):
The client and the symmetric active modes should be used when NTP is required to provide a high level of time accuracy and reliability.
When a networking device is operating in the client mode, it polls its assigned time serving hosts for the current time. The networking device then picks a host from all the polled time servers to synchronize with. Because the relationship that is established in this case is a client-host relationship, the host does not capture or use any time information sent by the local client device. This mode is most suited for file-server and workstation clients that are not required to provide any form of time synchronization to other local clients. Use the server command to individually specify the time-serving hosts that you want your networking device to consider synchronizing with and to set your networking device to operate in the client mode.
When a networking device is operating in the symmetric active mode, it polls its assigned time-serving hosts for the current time and it responds to polls by its hosts. Because this is a peer-to-peer relationship, the host also retains time-related information about the local networking device that it is communicating with. This mode should be used when there are several mutually redundant servers that are interconnected via diverse network paths. Most stratum 1 and stratum 2 servers on the Internet today adopt this form of network setup. Use the peer command to individually specify the time-serving hosts that you want your networking device to consider synchronizing with and to set your networking device to operate in the symmetric active mode.
When the router polls several other devices for the time, the router selects one device with which to synchronize.
Note | To configure a peer-to-peer association between the router and another device, you must also configure the router as a peer on the other device. You can configure multiple peers and servers, but you cannot configure a single IP address as both a peer and a server at the same time. To change the configuration of a specific IP address from peer to server or from server to peer, use the no form of the peer or server command to remove the current configuration before you perform the new configuration. If you do not remove the old configuration before performing the new configuration, the new configuration does not overwrite the old configuration. |
1.
configure
2.
ntp
3.
server
ip-address [version
number] [key
key-id] [minpoll
interval] [maxpoll
interval] [source
type
interface-path-id] [prefer] [burst] [iburst]
4.
peer
ip-address [version
number] [key
key-id] [minpoll
interval] [maxpoll
interval] [source
type
interface-path-id] [prefer]
In a broadcast-based NTP association, an NTP server propagates NTP broadcast packets throughout a network. Broadcast clients listen for the NTP broadcast packets propagated by the NTP server and do not engage in any polling.
Broadcast-based NTP associations should be used when time accuracy and reliability requirements are modest and if your network is localized and has a large number of clients (more than 20). Broadcast-based NTP associations also are recommended for use on networks that have limited bandwidth, system memory, or CPU resources. Time accuracy is marginally reduced in broadcast-based NTP associations because information flows only one way.
Use the broadcast client command to set your networking device to listen for NTP broadcast packets propagated through a network. For broadcast client mode to work, the broadcast server and its clients must be located on the same subnet. The time server that is transmitting NTP broadcast packets must be enabled on the interface of the given device using the broadcast command.
Use the broadcast command to set your networking device to send NTP broadcast packets.
Note | No specific command enables NTP; the first NTP configuration command that you issue enables NTP. |
1.
configure
2.
ntp
3.
(Optional)
broadcastdelay
microseconds
4.
interface
type
interface-path-id
5.
broadcast
client
6.
broadcast [destination ip-address]
[key
key-id] [version
number]
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure
| |||
Step 2 |
ntp
Example:
RP/0/RP0/CPU0:router(config)# ntp
|
Enters NTP configuration mode. | ||
Step 3 |
broadcastdelay
microseconds
Example:
RP/0/RP0/CPU0:router(config-ntp)# broadcastdelay 5000
| (Optional)
Adjusts the estimated round-trip delay for NTP broadcasts. | ||
Step 4 |
interface
type
interface-path-id
Example:
RP/0/RP0/CPU0:router(config-ntp)# interface POS 0/1/0/0
|
Enters NTP interface configuration mode. | ||
Step 5 |
broadcast
client
Example:
RP/0/RP0/CPU0:router(config-ntp-int)# broadcast client
|
Configures the specified interface to receive NTP broadcast packets.
| ||
Step 6 |
broadcast [destination ip-address]
[key
key-id] [version
number]
Example:
RP/0/RP0/CPU0:router(config-ntp-int)# broadcast
destination 10.50.32.149
|
Configures the specified interface to send NTP broadcast packets.
| ||
Step 7 | Use one of the following commands:
Example:
RP/0/RP0/CPU0:router(config-ntp-int)# end
or
RP/0/RP0/CPU0:router(config-ntp-int)# commit
|
Saves configuration changes.
|
Note | No specific command enables NTP; the first NTP configuration command that you issue enables NTP. |
The access list-based restriction scheme allows you to grant or deny certain access privileges to an entire network, a subnet within a network, or a host within a subnet.
The access group options are scanned in the following order, from least restrictive to most restrictive:
query-only—Allows only NTP control queries from a system whose address passes the access list criteria.
If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types are granted.
For details on NTP control queries, see RFC 1305 (NTP version 3).
1.
configure
2.
ntp
3.
access-group{peer |
query-only |
serve |
serve-only}
access-list-name
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure
| |
Step 2 |
ntp
Example:
RP/0/RP0/CPU0:router(config)# ntp
|
Enters NTP configuration mode. |
Step 3 |
access-group{peer |
query-only |
serve |
serve-only}
access-list-name
Example:
RP/0/RP0/CPU0:router(config-ntp)# access-group peer access1
|
Creates an access group and applies a basic IPv4 or IPv6 access list to it. |
Step 4 | Use one of the
following commands:
Example:
RP/0/RP0/CPU0:router(config-ntp)# end
or
RP/0/RP0/CPU0:router(config-ntp)# commit
|
Saves configuration changes.
|
This task explains how to configure NTP authentication.
Note | No specific command enables NTP; the first NTP configuration command that you issue enables NTP. |
The encrypted NTP authentication scheme should be used when a reliable form of access control is required. Unlike the access-list-based restriction scheme that is based on IP addresses, the encrypted authentication scheme uses authentication keys and an authentication process to determine if NTP synchronization packets sent by designated peers or servers on a local network are deemed as trusted, before the time information that it carries along is accepted.
The authentication process begins from the moment an NTP packet is created. A message authentication code (MAC) is computed using the MD5 Message Digest Algorithm and the MAC is embedded into an NTP synchronization packet. The NTP synchronization packet together with the embedded MAC and key number are transmitted to the receiving client. If authentication is enabled and the key is trusted, the receiving client computes the MAC in the same way. If the computed MAC matches the embedded MAC, the system is allowed to sync to the server that uses this key in its packets.
After NTP authentication is properly configured, your networking device only synchronizes with and provides synchronization to trusted time sources.
1.
configure
2.
ntp
3.
authenticate
4.
authentication-key
key-number
md5 [clear |
encrypted]
key-name
5.
trusted-key
key-number
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure
| |
Step 2 |
ntp
Example:
RP/0/RP0/CPU0:router(config)# ntp
|
Enters NTP configuration mode. |
Step 3 |
authenticate
Example:
RP/0/RP0/CPU0:router(config-ntp)# authenticate
|
Enables the NTP authentication feature. |
Step 4 |
authentication-key
key-number
md5 [clear |
encrypted]
key-name
Example:
RP/0/RP0/CPU0:router(config-ntp)# authentication-key 42
md5 clear key1
|
Defines the authentication keys. |
Step 5 |
trusted-key
key-number
Example:
RP/0/RP0/CPU0:router(config-ntp)# trusted-key 42
|
Defines trusted authentication keys. |
Step 6 | Use one of the
following commands:
Example:
RP/0/RP0/CPU0:router(config-ntp)# end
or
RP/0/RP0/CPU0:router(config-ntp)# commit
|
Saves configuration changes.
|
NTP services are disabled on all interfaces by default.
NTP is enabled globally when any NTP commands are entered. You can selectively prevent NTP packets from being received through a specific interface by turning off NTP on a given interface.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure
| |
Step 2 |
ntp
Example:
RP/0/RP0/CPU0:router(config)# ntp
|
Enters NTP configuration mode. |
Step 3 | Use one of the following commands:
Example:
RP/0/RP0/CPU0:router(config-ntp)# no interface pos 0/0/0/1
or
RP/0/RP0/CPU0:router(config-ntp)# interface POS 0/0/0/1 disable
|
Disables NTP services on the specified interface. |
Step 4 | Use one of the
following commands:
Example:
RP/0/RP0/CPU0:router(config-ntp)# end
or
RP/0/RP0/CPU0:router(config-ntp)# commit
|
Saves configuration changes.
|
By default, the source IP address of an NTP packet sent by the router is the address of the interface through which the NTP packet is sent. Use this procedure to set a different source address.
Note | No specific command enables NTP; the first NTP configuration command that you issue enables NTP. |
1.
configure
2.
ntp
3.
source type
interface-path-id
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure
| |||
Step 2 |
ntp
Example:
RP/0/RP0/CPU0:router(config)# ntp
|
Enters NTP configuration mode. | ||
Step 3 |
source type
interface-path-id
Example:
RP/0/RP0/CPU0:router(config-ntp)# source POS 0/0/0/1
|
Configures an interface from which the IP source address is taken.
| ||
Step 4 | Use one of the
following commands:
Example:
RP/0/RP0/CPU0:router(config-ntp)# end
or
RP/0/RP0/CPU0:router(config-ntp)# commit
|
Saves configuration changes.
|
You can configure the router to act as an authoritative NTP server, even if the system is not synchronized to an outside time source.
Note | No specific command enables NTP; the first NTP configuration command that you issue enables NTP. |
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure
| |||
Step 2 |
ntp
Example:
RP/0/RP0/CPU0:router(config)# ntp
|
Enters NTP configuration mode. | ||
Step 3 |
master stratum
Example:
RP/0/RP0/CPU0:router(config-ntp)# master 9
|
Makes the router an authoritative NTP server.
| ||
Step 4 | Use one of the
following commands:
Example:
RP/0/RP0/CPU0:router(config-ntp)# end
or
RP/0/RP0/CPU0:router(config-ntp)# commit
|
Saves configuration changes.
|
On devices that have hardware clocks (system calendars), you can configure the hardware clock to be periodically updated from the software clock. This is advisable for devices using NTP, because the time and date on the software clock (set using NTP) is more accurate than the hardware clock. The time setting on the hardware clock has the potential to drift slightly over time.
Note | No specific command enables NTP; the first NTP configuration command that you issue enables NTP. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure
| |
Step 2 |
ntp
Example:
RP/0/RP0/CPU0:router(config)# ntp
|
Enters NTP configuration mode. |
Step 3 |
update-calendar
Example:
RP/0/RP0/CPU0:router(config-ntp)# update-calendar
|
Configures the router t o update its system calendar from the software clock at periodic intervals. |
Step 4 | Use one of the
following commands:
Example:
RP/0/RP0/CPU0:router(config-ntp)# end
or
RP/0/RP0/CPU0:router(config-ntp)# commit
|
Saves configuration changes.
|
This task explains how to verify the status of NTP components.
Note | The commands can be entered in any order. |
1.
show
ntp
associations [detail] [location
node-id]
2.
show
ntp
status [location
node-id]
Command or Action | Purpose |
---|
The following is sample output from the show ntp associations command:
The following is sample output from the show ntp status command:
The following example shows an NTP configuration in which the router’s system clock is configured to form a peer association with the time server host at IP address 192.168.22.33, and to allow the system clock to be synchronized by time server hosts at IP address 10.0.2.1 and 172.19.69.1:
ntp server 10.0.2.1 minpoll 5 maxpoll 7 peer 192.168.22.33 server 172.19.69.1
The following example shows an NTP client configuration in which interface 0/2/0/0 is configured to receive NTP broadcast packets, and the estimated round-trip delay between an NTP client and an NTP broadcast server is set to 2 microseconds:
ntp interface tengige 0/2/0/0 broadcast client exit broadcastdelay 2
The following example shows an NTP server configuration where interface 0/2/0/2 is configured to be a broadcast server:
ntp interface tengige 0/2/0/2 broadcast
The following example shows a NTP access group configuration where the following access group restrictions are applied:
ntp peer 10.1.1.1 peer 10.1.1.1 peer 10.2.2.2 peer 10.3.3.3 peer 10.4.4.4 peer 10.5.5.5 peer 10.6.6.6 peer 10.7.7.7 peer 10.8.8.8 access-group peer peer-acl access-group serve serve-acl access-group serve-only serve-only-acl access-group query-only query-only-acl exit ipv4 access-list peer-acl 10 permit ip host 10.1.1.1 any 20 permit ip host 10.8.8.8 any exit ipv4 access-list serve-acl 10 permit ip host 10.4.4.4 any 20 permit ip host 10.5.5.5 any exit ipv4 access-list query-only-acl 10 permit ip host 10.2.2.2 any 20 permit ip host 10.3.3.3 any exit ipv4 access-list serve-only-acl 10 permit ip host 10.6.6.6 any 20 permit ip host 10.7.7.7 any exit
The following example shows an NTP authentication configuration. In this example, the following is configured:
ntp authenticate authentication-key 2 md5 encrypted 06120A2D40031D1008124 authentication-key 3 md5 encrypted 1311121E074110232621 trusted-key 3 server 10.3.32.154 key 3 peer 10.32.154.145 key 2
The following example shows an NTP configuration in which 0/2/0/0 interface is disabled:
ntp interface tengige 0/2/0/0 disable exit authentication-key 2 md5 encrypted 06120A2D40031D1008124 authentication-key 3 md5 encrypted 1311121E074110232621 authenticate trusted-key 3 server 10.3.32.154 key 3 peer 10.32.154.145 key 2
The following example shows an NTP configuration in which Ethernet management interface 0/0/CPU0/0 is configured as the source address for NTP packets:
ntp authentication-key 2 md5 encrypted 06120A2D40031D1008124 authentication-key 3 md5 encrypted 1311121E074110232621 authenticate trusted-key 3 server 10.3.32.154 key 3 peer 10.32.154.145 key 2 source MgmtEth0/0/CPU0/0
The following example shows a NTP configuration in which the router is configured to use its own NTP master clock to synchronize with peers when an external NTP source becomes unavailable:
ntp master 6
The following example shows an NTP configuration in which the router is configured to update its hardware clock from the software clock at periodic intervals:
ntp server 10.3.32.154 update-calendar
The following sections provide references related to implementing NTP on Cisco IOS XR software.
Related Topic |
Document Title |
---|---|
Cisco IOS XR clock commands |
Clock Commands on module of System Management Command Reference for Cisco NCS 6000 Series Routers |
Cisco IOS XR NTP commands |
NTP Commands on module of System Management Command Reference for Cisco NCS 6000 Series Routers |
Information about getting started with Cisco IOS XR Software |
|
Cisco IOS XR master command index |
|
Information about user groups and task IDs |
Configuring AAA Services on module of System Security Configuration Guide for Cisco NCS 6000 Series Routers |
Standards |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs |
MIBs Link |
---|---|
— |
To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml |
RFCs |
Title |
---|---|
RFC 1059 |
Network Time Protocol, Version 1: Specification and Implementation |
RFC 1119 |
Network Time Protocol, Version 2: Specification and Implementation |
RFC 1305 |
Network Time Protocol, Version 3: Specification, Implementation, and Analysis |
Description |
Link |
---|---|
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. |