- Preface
- New and Changed Information for this Release
- Overview
- Configuring User Accounts and RBAC
- Configuring Session Manager
- Configuring the Scheduler
- Configuring Online Diagnostics
- Configuring NTP
- Configuring System Message Logging
- Configuring Smart Call Home
- Configuring DNS
- Configuring SNMP
- Configuring RMON
- Configuring SPAN
- Configuring Warp SPAN
- Configuring Active Buffer Monitoring
- Configuring Warp Mode
- Index
- Information About NTP
- NTP as a Time Server
- Distributing NTP Using CFS
- Clock Manager
- Virtualization Support
- Licensing Requirements for NTP
- Guidelines and Limitations for NTP
- Default Settings
- Configuring NTP
- Configuring NTP Server and Peer
- Configuring NTP Authentication
- Configuring NTP Access Restrictions
- Configuring the NTP Source IP Address
- Configuring the NTP Source Interface
- Configuring NTP Logging
- Enabling CFS Distribution for NTP
- Commiting NTP Configuration Changes
- Discarding NTP Configuration Changes
- Releasing the CFS Session Lock
- Verifying the NTP Configuration
- Configuration Examples for NTP
- Related Documents for NTP
- Feature History for NTP
Configuring NTP
This chapter contains the following sections:
- Information About NTP
- NTP as a Time Server
- Distributing NTP Using CFS
- Clock Manager
- Virtualization Support
- Licensing Requirements for NTP
- Guidelines and Limitations for NTP
- Default Settings
- Configuring NTP
- Related Documents for NTP
- Feature History for NTP
Information About NTP
The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients so that you can correlate events when you receive system logs and other time-specific events from multiple network devices. NTP uses the User Datagram Protocol (UDP) as its transport protocol. All NTP communications use Coordinated Universal Time (UTC).
An NTP server usually receives its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server, and then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each other.
NTP uses a stratum to describe the distance between a network device and an authoritative time source:
- A stratum 1 time server is directly attached to an authoritative time source (such as a radio or atomic clock or a GPS time source).
- A stratum 2 NTP server receives its time through NTP from a stratum 1 time server.
Before synchronizing, NTP compares the time reported by several network devices and does not synchronize with one that is significantly different, even if it is a stratum 1. Because Cisco NX-OS cannot connect to a radio or atomic clock and act as a stratum 1 server, we recommend that you use the public NTP servers available on the Internet. If the network is isolated from the Internet, Cisco NX-OS allows you to configure the time as though it were synchronized through NTP, even though it was not.
Note |
You can create NTP peer relationships to designate the time-serving hosts that you want your network device to consider synchronizing with and to keep accurate time if a server failure occurs. |
The time kept on a device is a critical resource, so we strongly recommend that you use the security features of NTP to avoid the accidental or malicious setting of incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.
NTP as a Time Server
the Cisco NX-OS device can use NTP to distribute time. Other devices can configure it as a time server. You can also configure the device to act as an authoritative NTP server, enabling it to distribute time even when it is not synchronized to an outside time source.
Distributing NTP Using CFS
Cisco Fabric Services (CFS) distributes the local NTP configuration to all Cisco devices in the network. After enabling CFS on your device, a network-wide lock is applied to NTP whenever an NTP configuration is started. After making the NTP configuration changes, you can discard or commit them. In either case, the CFS lock is then released from the NTP application.
Clock Manager
Clocks are resources that need to be shared across different processes. Multiple time synchronization protocols, such as NTP and Precision Time Protocol (PTP), might be running in the system.
The clock manager allows you to specify the protocol to control the various clocks in the system. Once you specify the protocol, the system clock starts updating.
Virtualization Support
NTP recognizes virtual routing and forwarding (VRF) instances. NTP uses the default VRF if you do not configure a specific VRF for the NTP server and NTP peer.
Licensing Requirements for NTP
The following table shows the licensing requirements for this feature:
Product |
License Requirement |
---|---|
Cisco NX-OS |
NTP requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. |
Guidelines and Limitations for NTP
NTP has the following configuration guidelines and limitations:
- To configure NTP, you must have connectivity to at least one server that is running NTP.
- You should have a peer association with another device only when you are sure that your clock is reliable (which means that you are a client of a reliable NTP server).
- A peer configured alone takes on the role of a server and should be used as a backup. If you have two servers, you can configure several devices to point to one server and the remaining devices to point to the other server. You can then configure a peer association between these two servers to create a more reliable NTP configuration.
- If you have only one server, you should configure all the devices as clients to that server.
- You can configure up to 64 NTP entities (servers and peers).
- If CFS is disabled for NTP, then NTP does not distribute any configuration and does not accept a distribution from other devices in the network.
- After CFS distribution is enabled for NTP, the entry of an NTP configuration command locks the network for NTP configuration until a commit command is entered. During the lock, no changes can be made to the NTP configuration by any other device in the network except the device that initiated the lock.
- If you use CFS to distribute NTP, all devices in the network should have the same VRFs configured as you use for NTP.
- If you configure NTP in a VRF, ensure that the NTP server and peers can reach each other through the configured VRFs.
- You must manually distribute NTP authentication keys on the NTP server and Cisco NX-OS devices across the network.
Default Settings
Parameters |
Default |
---|---|
NTP authentication |
disabled |
NTP access |
enabled |
NTP logging |
disabled |
Configuring NTP
Configuring NTP Server and Peer
You can configure an NTP server and peer.
Make sure you know the IP address or DNS names of your NTP server and its peers.
If you plan to use CFS to distribute your NTP configuration to other devices, then you should have already completed the following:
This example shows how to configure an NTP server and peer:
switch# config t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# ntp server 192.0.2.10 key 10 use-vrf Red switch(config)# ntp peer 2001:0db8::4101 prefer use-vrf Red switch(config)# show ntp peers -------------------------------------------------- Peer IP Address Serv/Peer -------------------------------------------------- 2001:0db8::4101 Peer (configured) 192.0.2.10 Server (configured) switch(config)# copy running-config startup-config [########################################] 100% switch(config)#
Configuring NTP Authentication
You can configure the device to authenticate the time sources to which the local clock is synchronized. When you enable NTP authentication, the device synchronizes to a time source only if the source carries one of the authentication keys specified by the ntp trusted-key command. The device drops any packets that fail the authentication check and prevents them from updating the local clock. NTP authentication is disabled by default.
Make sure that you configured the NTP server with the authentication keys that you plan to specify in this procedure.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal | Enters global configuration mode. |
Step 2 | switch(config)# [no] ntp authentication-key number md5 md5-string | Defines the authentication keys. The device does not synchronize to a time source unless the source has one of these authentication keys and the key number is specified by the ntp trusted-key number command. |
Step 3 | switch(config)# show ntp authentication-keys | (Optional) Displays the configured NTP authentication keys. |
Step 4 | switch(config)# [no]ntp trusted-key number | Specifies one or more keys that a time source must provide in its NTP packets in order for the device to synchronize to it. The range for trusted keys is from 1 to 65535. This command provides protection against accidentally synchronizing the device to a time source that is not trusted. |
Step 5 | switch(config)# show ntp trusted-keys | (Optional) Displays the configured NTP trusted keys. |
Step 6 | switch(config)# [no] ntp authenticate | Enables or disables the NTP authentication feature. NTP authentication is disabled by default. |
Step 7 | switch(config)# show ntp authentication-status | (Optional) Displays the status of NTP authentication. |
Step 8 | switch(config)# copy running-config startup-config | (Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
This example shows how to configure the device to synchronize only to time sources that provide authentication key 42 in their NTP packets:
switch# config t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# ntp authentication-key 42 md5 aNiceKey switch(config)# ntp trusted-key 42 switch(config)# ntp authenticate switch(config)# copy running-config startup-config [########################################] 100% switch(config)#
Configuring NTP Access Restrictions
You can control access to NTP services by using access groups. Specifically, you can specify the types of requests that the device allows and the servers from which it accepts responses.
If you do not configure any access groups, NTP access is granted to all devices. If you configure any access groups, NTP access is granted only to the remote device whose source IP address passes the access list criteria.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal | Enters global configuration mode. |
Step 2 | switch(config)# [no] ntp access-group {peer | serve | serve-only | query-only} access-list-name | Creates or removes an access group to control NTP access and applies a basic IP access list. The access group options are scanned in the following order, from least restrictive to most restrictive. However, if NTP matches a deny ACL rule in a configured peer, ACL processing stops and does not continue to the next access group option.
|
Step 3 | switch(config)# show ntp access-groups | (Optional) Displays the NTP access group configuration. |
Step 4 | switch(config)# copy running-config startup-config | (Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
This example shows how to configure the device to allow it to synchronize to a peer from access group “accesslist1”:
switch# config t switch(config)# ntp access-group peer accesslist1 switch(config)# show ntp access-groups Access List Type ----------------------------- accesslist1 Peer switch(config)# copy running-config startup-config [########################################] 100% switch(config)#
Configuring the NTP Source IP Address
NTP sets the source IP address for all NTP packets based on the address of the interface through which the NTP packets are sent. You can configure NTP to use a specific source IP address.
To configure the NTP source IP address, use the following command in global configuration mode:
Command or Action | Purpose | |
---|---|---|
Step 1 | switch(config)# [no] ntp source ip-address | Configures the source IP address for all NTP packets. The ip-address can be in IPv4 or IPv6 format. |
This example shows how to configure NTP to a source IP address:
switch(config)# ntp source 192.0.2.1
Configuring the NTP Source Interface
You can configure NTP to use a specific interface.
To configure the NTP source interface, use the following command in global configuration mode:
Command or Action | Purpose | |
---|---|---|
Step 1 | switch(config)# [no] ntp source-interface interface | Configures the source interface for all NTP packets. Use the ? keyword to display a list of supported interfaces. |
This example shows how to configure NTP to a specific interface:
switch(config)# ntp source-interface ethernet 2/1
Configuring NTP Logging
You can configure NTP logging in order to generate system logs with significant NTP events. NTP logging is disabled by default.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal | Enters global configuration mode. |
Step 2 | switch(config)# [no] ntp logging | Enables or disables system logs to be generated with significant NTP events. NTP logging is disabled by default. |
Step 3 | switch(config)# show ntp logging-status | (Optional) Displays the NTP logging configuration status. |
Step 4 | switch(config)# copy running-config startup-config | (Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
This example shows how to enable NTP logging in order to generate system logs with significant NTP events:
switch# config t switch(config)# ntp logging switch(config)# copy running-config startup-config [########################################] 100% switch(config)#
Enabling CFS Distribution for NTP
You can enable CFS distribution for NTP in order to distribute the NTP configuration to other CFS-enabled devices.
Make sure that you have enabled CFS distribution for the device.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal | Enters global configuration mode. |
Step 2 | switch(config)# [no] ntp distribute | Enables or disables the device to receive NTP configuration updates that are distributed through CFS. |
Step 3 | switch(config)# show ntp status | (Optional) Displays the NTP CFS distribution status. |
Step 4 | switch(config)# copy running-config startup-config | (Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
This example shows how to enable CFS distribution for NTP:
switch# config t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# ntp distribute switch(config)# copy running-config startup-config
Commiting NTP Configuration Changes
When you commit the NTP configuration changes, the effective database is overwritten by the configuration changes in the pending database and all the devices in the network receive the same configuration.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal | Enters global configuration mode. |
Step 2 | switch(config)# ntp commit | Distributes the NTP configuration changes to all Cisco NX-OS devices in the network and releases the CFS lock. This command overwrites the effective database with the changes made to the pending database. |
This example shows how to commit the NTP configuration changes:
switch(config)# ntp commit
Discarding NTP Configuration Changes
After making the configuration changes, you can choose to discard the changes instead of committing them. If you discard the changes, Cisco NX-OS removes the pending database changes and releases the CFS lock.
To discard NTP configuration changes, use the following command in global configuration mode:
Command or Action | Purpose | |
---|---|---|
Step 1 | switch(config)# ntp abort | Discards the NTP configuration changes in the pending database and releases the CFS lock. Use this command on the device where you started the NTP configuration. |
This example shows how to discard the NTP configuration changes:
switch(config)# ntp abort
Releasing the CFS Session Lock
If you have performed an NTP configuration and have forgotten to release the lock by either committing or discarding the changes, you or another administrator can release the lock from any device in the network. This action also discards pending database changes.
To release the session lock from any device and discard any pending database changes, use the following command in global configuration mode:
Command or Action | Purpose | |
---|---|---|
Step 1 | switch(config)# clear ntp session | Discards the NTP configuration changes in the pending database and releases the CFS lock. |
This example shows how to release the CFS session lock:
switch(config)# clear ntp session
Verifying the NTP Configuration
To display the NTP configuration, perform one of the following tasks:
Use the clear ntp session command to clear the NTP sessions.
Use the clear ntp statistics command to clear the NTP statistics.
Command or Action | Purpose | |
---|---|---|
Step 1 | show ntp access-groups |
Displays the NTP access group configuration. |
Step 2 | show ntp authentication-keys |
Displays the configured NTP authentication keys. |
Step 3 | show ntp authentication-status |
Displays the status of NTP authentication. |
Step 4 | show ntp internal |
Displays internal NTP information. |
Step 5 | show ntp logging-status |
Displays the NTP logging status. |
Step 6 | show ntp peer-status |
Displays the status for all NTP servers and peers. |
Step 7 | show ntp peers |
Displays all the NTP peers. |
Step 8 | show ntp pending |
Displays the temporary CFS database for NTP. |
Step 9 | show ntp pending-diff |
Displays the difference between the pending CFS database and the current NTP configuration. |
Step 10 | show ntp rts-update |
Displays the RTS update status. |
Step 11 | show ntp session status |
Displays the NTP CFS distribution session information. |
Step 12 | show ntp source |
Displays the configured NTP source IP address. |
Step 13 | show ntp source-interface |
Displays the configured NTP source interface. |
Step 14 | show ntp statistics {io | local | memory | peer {ipaddr {ipv4-addr | ipv6-addr} | name peer-name}} |
Displays the NTP statistics. |
Step 15 | show ntp status |
Displays the NTP CFS distribution status. |
Step 16 | show ntp trusted-keys |
Displays the configured NTP trusted keys. |
Step 17 | show running-config ntp |
Displays NTP information. |
Configuration Examples for NTP
This example shows how to configure an NTP server and peer, enable NTP authentication, enable NTP logging, and then save the configuration in startup so that it is saved across reboots and restarts:
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# ntp server 192.0.2.105 key 42 switch(config)# ntp peer 2001:0db8::4101 switch(config)# show ntp peers -------------------------------------------------- Peer IP Address Serv/Peer -------------------------------------------------- 2001:db8::4101 Peer (configured) 192.0.2.105 Server (configured) switch(config)# ntp authentication-key 42 md5 aNiceKey switch(config)# show ntp authentication-keys ----------------------------- Auth key MD5 String ----------------------------- 42 aNicekey switch(config)# ntp trusted-key 42 switch(config)# show ntp trusted-keys Trusted Keys: 42 switch(config)# ntp authenticate switch(config)# show ntp authentication-status Authentication enabled. switch(config)# ntp logging switch(config)# show ntp logging NTP logging enabled. switch(config)# copy running-config startup-config [########################################] 100% switch(config)#
This example shows an NTP access group configuration with the following restrictions:
- Peer restrictions are applied to IP addresses that pass the criteria of the access list named “peer-acl.”
- Serve restrictions are applied to IP addresses that pass the criteria of the access list named “serve-acl.”
- Serve-only restrictions are applied to IP addresses that pass the criteria of the access list named “serve-only-acl.”
- Query-only restrictions are applied to IP addresses that pass the criteria of the access list named “query-only-acl.”
switch# config terminal switch(config)# ntp peer 10.1.1.1 switch(config)# ntp peer 10.2.2.2 switch(config)# ntp peer 10.3.3.3 switch(config)# ntp peer 10.4.4.4 switch(config)# ntp peer 10.5.5.5 switch(config)# ntp peer 10.6.6.6 switch(config)# ntp peer 10.7.7.7 switch(config)# ntp peer 10.8.8.8 switch(config)# ntp access-group peer peer-acl switch(config)# ntp access-group serve serve-acl switch(config)# ntp access-group serve-only serve-only-acl switch(config)# ntp access-group query-only query-only-acl switch(config)# ip access-list peer-acl switch(config-acl)# 10 permit ip host 10.1.1.1 any switch(config-acl)# 20 permit ip host 10.8.8.8 any switch(config)# ip access-list serve-acl switch(config-acl)# 10 permit ip host 10.4.4.4 any switch(config-acl)# 20 permit ip host 10.5.5.5 any switch(config)# ip access-list serve-only-acl switch(config-acl)# 10 permit ip host 10.6.6.6 any switch(config-acl)# 20 permit ip host 10.7.7.7 any switch(config)# ip access-list query-only-acl switch(config-acl)# 10 permit ip host 10.2.2.2 any switch(config-acl)# 20 permit ip host 10.3.3.3 any
Related Documents for NTP
Related Topic |
Document Title |
---|---|
NTP CLI commands |
Cisco Nexus 3548 Switch NX-OS System Management Command Reference Guide |
Feature History for NTP
This table includes only the updates for those releases that have resulted in additions or changes to the feature.
Feature Name | Releases | Feature Information |
---|---|---|
NTP |
5.0(3)A1(1) |
This feature was introduced. |