The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS system management commands that begin with the letter N.
To abort the Network Time Protocol (NTP) configuration, use the ntp abort command.
network-admin
network-operator
vdc-admin
vdc-operator
|
|
This example shows how to abort the NTP configuration:
|
|
---|---|
To configure an access group to control Network Time Protocol (NTP) access, use the ntp access-group command. To remove the NTP peer access group, use the no form of this command.
ntp access-group {peer | serve | serve-only | query-only | match-all} access-list-name
no ntp access-group {peer | serve | serve-only | query-only | match-all} access-list-name
If you do not configure any access groups, NTP access is granted to all devices.
|
|
Make sure that you are in the correct virtual device context (VDC). To change the VDC, use the switchto vdc command.
The ntp access-group match-all command causes the access group options to be scanned in the following order, from least restrictive to most restrictive: peer, serve, serve-only, query-only. If the incoming packet does not match the peer access group, the packet goes to the serve access group to be processed. If the packet does not match the serve access group, it goes to the next access group and so on. This command also enables IPv6 access group processing.
The ntp access-group match-all command is available beginning with Cisco NX-OS Release 6.2(2). If you enter the no form of this command, do not enter this command or create an access group using an earlier version of Cisco NX-OS. ACL processing stops and does not continue to the next access group option if the incoming packet does not match the peer access group or if NTP matches a deny ACL rule in a configured peer.
This example shows how to configure a peer access group for NTP:
switch#
config t
switch(config)#
ntp access-group peer Admin_Group_123
switch(config)#
This example shows how to remove an NTP peer access group:
switch#
config t
switch(config)#
no ntp access-group peer Admin_Group_123
switch(config)#
|
|
---|---|
To prevent the system from synchronizing with unauthenticated, unconfigured network peers, use the ntp authenticate command. Use the no form of this command to allow synchronization with unauthenticated, unconfirmed network peers.
Global configuration mode (config)
network-admin
network-operator
vdc-admin
vdc-operator
|
|
If the system has been configured with the ntp passive, ntp broadcast client, or ntp multicast client commands, when NTP receives an incoming symmetric active, broadcast, or multicast packet, it can set up an ephemeral peer association in order to synchronize with the sender.
If ntp authenticate is specified, when a symmetric active, broadcast, or multicast packet is received, the system will not synchronize to the peer unless the packet carries one of the authentication keys specified in the ntp trusted-key global configuration command.
To prevent synchronization with unauthorized network hosts, ntp authenticate should be specified any time ntp passive, ntp broadcast client, or ntp multicast client has been specified unless other measures, such as the ntp access-group command, have been taken to prevent unauthorized hosts from communicating with the NTP service on the device.
Make sure that you are in the correct virtual device context (VDC). To change the VDC, use the switchto vdc command.
This command does not require a license.
Note This command does not authenticate peer associations configured via the ntp server and ntp peer commands. To authenticate ntp server and ntp peer associations, specify the key keyword.
This example shows how to enable NTP authentication:
switch(config)# ntp authenticate
This example shows how to disable NTP authentication:
|
|
---|---|
Specifies one or more keys that a time source must provide in its NTP packets in order for the device to synchronize to it. |
|
To configure a Network Time Protocol (NTP) authentication key, use the ntp authentication-key command. To remove the NTP authentication key, use the no form of this command.
ntp authentication-key number md5 md5-string
no ntp authentication-key number md5 md5-string
Global configuration mode (config)
network-admin
network-operator
vdc-admin
vdc-operator
|
|
Increases the length of NTP authentication keys from 8 to 15 alphanumeric characters. |
|
Make sure that you are in the correct virtual device context (VDC). To change the VDC, use the switchto vdc command.
The device does not synchronize to a time source unless the source has one of these authentication keys and the key number is specified by the ntp trusted-key command.
This example shows how to configure an NTP authentication key:
switch#
config t
switch(config)#
ntp authentication-key 42 md5 aNiceKey
switch(config)#
This example shows how to remove the NTP authentication key:
switch#
config t
switch(config)#
no
ntp authentication-key 42 md5 aNiceKey
switch(config)#
|
|
---|---|
Configures one or more keys that a time source must provide in its NTP packets in order for the device to synchronize to it. |
To enable a Network Time Protocol (NTP) IPv4 broadcast server on the specified interface, use the ntp broadcast command. To disable the NTP IPv4 broadcast server, use the no form of this command.
ntp broadcast [destination ip-address] [key key-id] [version number]
no ntp broadcast [destination ip-address] [key key-id] [version number]
Interface configuration mode (config-if)
network-admin
network-operator
vdc-admin
vdc-operator
|
|
Use NTP broadcast or multicast associations when time accuracy and reliability requirements are modest, your network is localized, and the network has more than 20 clients. We recommend that you use NTP broadcast or multicast associations in networks that have limited bandwidth, system memory, or CPU resources.
Note Time accuracy is marginally reduced in NTP broadcast associations because information flows only one way.
This example shows how to enable an NTP IPv4 broadcast server on the interface:
|
|
---|---|
To configure the estimated Network Time Protocol (NTP) broadcast round-trip delay, use the ntp broadcastdelay command. To disable the estimated broadcast round-trip delay, use the no form of this command.
(Optional) Broadcast round-trip delay in microseconds. The range is from 1 to 999999. |
network-admin
network-operator
vdc-admin
vdc-operator
|
|
Use NTP broadcast or multicast associations when time accuracy and reliability requirements are modest, your network is localized, and the network has more than 20 clients. We recommend that you use NTP broadcast or multicast associations in networks that have limited bandwidth, system memory, or CPU resources.
Note Time accuracy is marginally reduced in NTP broadcast associations because information flows only one way.
This example shows how to configure the estimated broadcast round-trip delay:
|
|
---|---|
To commit the Network Time Protocol (NTP) configuration, use the ntp commit command.
network-admin
network-operator
vdc-admin
vdc-operator
|
|
This example shows how to commit the NTP configuration:
|
|
---|---|
To disable Network Time Protocol (NTP), use the ntp disable command. To reenable NTP, use the no form of this command.
|
|
This example shows how to disable NTP:
switch#
ntp disable
|
|
---|---|
To enable Cisco Fabric Services (CFS) distribution for the Network Time Protocol (NTP), use the ntp distribute command. To disable this feature, use the no form of this command.
network-admin
network-operator
vdc-admin
vdc-operator
|
|
This example shows how to distribute the active NTP configuration to the fabric:
|
|
---|---|
To enable a device to send or receive Network Time Protocol (NTP) configuration updates distributed through Cisco Fabric Services (CFS), use the ntp distribute command. To disable NTP distribution through CFS, use the no form of this command.
network-admin
network-operator
vdc-admin
vdc-operator
|
|
This command does not require a license.
In order to enble NTP distribution with CFS, you must have already enabled CFS distribution for the device using the cfs distribute command.
The ntp distribute command enables NTP to distribute its configurations through CFS. To distribute an NTP configuration change, enter the change and then use the commit command.
After CFS distribution is enabled for NTP, then the entry of an NTP configuration command locks the fabric for NTP until a commit command is entered. During the lock, no changes can be made to the NTP configuration by any other device in the fabric except the device where the lock was activated.
If CFS is disabled for NTP, then NTP does not distribute any configuration changes and does not accept a distribution from other devices in the fabric.
This example shows how to enable NTP to distribute its configurations through CFS.
To enable Network Time Protocol (NTP), use the ntp enable command. To disable NTP, use the no command form.
|
|
NTP must be configured in the default VDC. It cannot be configured in any other VDC.
This example shows how to disable NTP:
switch#
no
ntp enable
|
|
---|---|
To enable Network Time Protocol (NTP) logging, use the ntp logging command. To disable NTP logging, use the no form of this command.
Global configuration mode (config)
network-admin
network-operator
vdc-admin
vdc-operator
|
|
This command does not require a license.
Make sure that you are in the correct virtual device context (VDC). To change the VDC, use the switchto vdc command.
This example shows how to enable NTP logging:
switch#
config t
switch(config)#
ntp logging
switch(config)#
This example shows how to disable NTP logging:
switch#
config t
switch(config)#
no ntp logging
switch(config)#
|
|
---|---|
To configure the device to act as an authoritative Network Time Protocol (NTP) server, use the ntp master command. To remove the device as an authoritative NTP server, use the no form of this command.
|
|
This command enables the device to distribute time even when it is not synchronized to an existing time server.
Make sure that you are in the correct virtual device context (VDC). To change the VDC, use the switchto vdc command.
This example shows how to configure the device to act as an authoritative NTP server:
This example shows how to remove a device as an authoritative NTP server:
|
|
---|---|
Displays information about the NTP configuration that is currently running on the switch. |
To enable an Network Time Protocol (NTP) IPv4 or IPv6 multicast server on the interface, use the ntp multicast command. To disable an NTP multicast server on the interface, use the no form of this command.
ntp multicast [ipv4-address | ipv6 address] [key key-id] [ttl value] [version number]
no ntp multicast [ipv4-address | ipv6 address] [key key-id] [ttl value] [version number]
|
|
You can use the ntp multicast command to configure an NTP IPv4 or IPv6 multicast server on an interface. The device then sends multicast packets through that interface periodically.
Use NTP broadcast or multicast associations when time accuracy and reliability requirements are modest, your network is localized, and the network has more than 20 clients. We recommend that you use NTP broadcast or multicast associations in networks that have limited bandwidth, system memory, or CPU resources.
This example shows how to configure an NTP IPv6 multicast server on an interface:
|
|
---|---|
Displays information about the NTP configuration that is currently running on the switch. |
To configure a Network Time Protocol (NTP) multicast client on an interface, use the ntp multicast client command. To disable an NTP multicast client on the interface, use the no form of this command.
ntp multicast client [ipv4-address | ipv6 address]
no ntp multicast client [ipv4-address | ipv6 address]
|
|
You can use the ntp multicast client command to configure an NTP multicast client on an interface. The device then listens to NTP multicast messages and discards any messages that come from an interface for which multicast is not configured.
Use NTP broadcast or multicast associations when time accuracy and reliability requirements are modest, your network is localized, and the network has more than 20 clients. We recommend that you use NTP broadcast or multicast associations in networks that have limited bandwidth, system memory, or CPU resources.
This example shows how to configure an NTP IPv6 multicast server on an interface:
|
|
---|---|
Displays information about the NTP configuration that is currently running on the switch. |
To enable Network Time Protocol (NTP) to send synchronization responses and form associations, use the ntp passive command. To prevent NTP from forming associations, use the no form of this command.
|
|
Make sure that you are in the correct virtual device context (VDC). To change the VDC, use the switchto vdc command.
This command is available beginning with Cisco NX-OS Release 6.2(2). In previous releases, associations are enabled automatically and cannot be disabled.
This example shows how to enable NTP to form associations:
|
|
---|---|
Displays information about the NTP configuration that is currently running on the switch. |
To configure a device as a Network Time Protocol (NTP) peer, use the ntp peer command. To remove the device as an NTP peer, use the no form of this command.
ntp peer { ip-address | ipv6-address | dns-name } [ key key-id ] [ prefer ] [ use-vrf vrf-name ]
no ntp peer { ip-address | ipv6-address | dns-name } [ key key-id ] [ prefer ] [ use-vrf vrf-name ]
Global configuration mode (config)
network-admin
vdc-admin
network-operator
vdc-operator
|
|
Make sure that you are in the correct virtual device context (VDC). To change the VDC, use the switchto vdc command.
You can configure multiple peer associations.
If you configure a key to be used while communicating with the NTP server, make sure that the key exists as a trusted key on the device.
This example shows how to configure an NTP peer:
switch(config)# config t
switch(config)#
ntp peer 190.0.2.1 key 123 prefer use-vrf RED
switch(config)#
switch#
config t
switch(config)#
no
ntp peer 190.0.2.1
switch(config)#
|
|
---|---|
To configure a Network Time Protocol (NTP) server, use the ntp server command. To remove the NTP server, use the no form of this command.
ntp server { ip-address | ipv6-address | dns-name } [ key key-id ] [ prefer ] [ use-vrf vrf-name ]
no ntp server { ip-address | ipv6-address | dns-name } [ key key-id ] [ prefer ] [ use-vrf vrf-name ]
Global configuration mode (config)
network-admin
network-operator
vdc-admin
vdc-operator
|
|
Make sure that you are in the correct virtual device context (VDC). To change the VDC, use the switchto vdc command.
If you configure a key to be used while communicating with the NTP server, make sure that the key exists as a trusted key on the device.
This example shows how to configure an NTP server:
switch(config)
config t
switch(config)#
ntp server 190.0.2.10 key 123 prefer use-vrf RED
switch(config)#
This example shows how to remove an NTP server:
switch#
config t
switch(config)#
no
ntp server 190.0.2.10 key 123 prefer use-vrf RED
switch(config)#
|
|
---|---|
To configure the Network Time Protocol (NTP) source, use the ntp source command. To remove the NTP source, use the no form of this command.
IPv4 or IPv6 address of the source. The IPv4 address format is dotted decimal, x.x.x.x. The IPv6 address format is hex A:B::C:D. |
Global configuration mode (config)
|
|
This example shows how to configure the NTP source:
switch(
config)#
ntp source 192.0.2.3
This example shows how to remove the NTP source:
switch(
config)#
no ntp source 192.0.2.3
|
|
---|---|
To configure the Network Time Protocol (NTP) source interface, use the ntp source-interface command. To remove an NTP source interface, use the no form of this command.
no ntp source-interface if_index
Global configuration mode (config)
|
|
This example shows how to configure an NTP source interface:
This example shows how to remove an NTP source configuration:
|
|
---|---|
To resynchronize the Network Time Protocol (NTP) with configured NTP servers, use the ntp sync-retry command.
network-admin
network-operator
vdc-admin
vdc-operator
|
|
This example shows how to resynchronize NTP:
switch#
ntp sync-retry
|
|
---|---|
To configure one or more keys that a time source must provide in its Network Time Protocol (NTP) packets in order for the device to synchronize to it, use the ntp trusted-key command. To remove the NTP trusted key, use the no form of this command.
Global configuration mode (config)
network-admin
network-operator
vdc-admin
vdc-operator
|
|
Make sure that you are in the correct virtual device context (VDC). To change the VDC, use the switchto vdc command.
This command provides protection against accidentally synchronizing the device to a time source that is not trusted.
This example shows how to configure an NTP trusted key:
switch#
config t
switch(config)#
ntp trusted-key 42
switch(config)#
This example shows how to remove the NTP trusted key:
switch#
config tswitch(config)#
no
ntp trusted-key 42
switch(config)#
|
|
---|---|