Guest

Cisco Catalyst 6000 Series Switches

Example NTP Configuration for High Availability Catalyst 6000 Switch

Cisco - Example NTP Configuration for High Availability Catalyst 6000 Switch

Document ID: 14978

Updated: Mar 23, 2005

   Print

Introduction

This document provides an example Network Time Protocol (NTP) configuration for a Catalyst 6000 family switch with redundant supervisor engines, and dual Multilayer Switch Feature Cards (MSFCs) with configuration synchronization enabled.

Before You Begin

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Prerequisites

There are no specific prerequisites for this document.

Components Used

This document is not restricted to specific software and hardware versions.

Example NTP Configuration for High Availability Catalyst 6000 Switch

Figure 1 shows the network topology for this example configuration.

Figure 1: Network Topology

83a.gif

This example shows a Catalyst 6509 with redundant supervisor engines and MSFCs. This is the show module command output from the switch:

Cat6000> (enable) show module
Mod Slot Ports Module-Type               Model               Sub Status
--- ---- ----- ------------------------- ------------------- --- --------
1   1    2     1000BaseX Supervisor      WS-X6K-SUP1A-2GE    yes ok
15  1    1     Multilayer Switch Feature WS-F6K-MSFC         no  ok
2   2    2     1000BaseX Supervisor      WS-X6K-SUP1A-2GE    yes standby
16  2    1     Multilayer Switch Feature WS-F6K-MSFC         no  ok
3   3    48    10/100BaseTX Ethernet     WS-X6348-RJ-45      no  ok

Mod Module-Name         Serial-Num
--- ------------------- -----------
1                       SAD04240E48
15                      SAD042406UW
2                       SAD042400YL
16                      SAD042407KG
3                       SAL04440WY6

Mod MAC-Address(es)                        Hw     Fw         Sw
--- -------------------------------------- ------ ---------- -----------------
1   00-30-7b-96-7c-5a to 00-30-7b-96-7c-5b 3.1    5.3(1)     5.5(7)
    00-30-7b-96-7c-58 to 00-30-7b-96-7c-59
    00-02-7e-02-a0-00 to 00-02-7e-02-a3-ff
15  00-d0-d3-a3-b6-a7 to 00-d0-d3-a3-b6-e6 1.4    12.1(6)E   12.1(6)E
2   00-d0-c0-cf-72-12 to 00-d0-c0-cf-72-13 3.1    5.3(1)     5.5(7)
    00-d0-c0-cf-72-10 to 00-d0-c0-cf-72-11
16  00-d0-c0-cf-72-14 to 00-d0-c0-cf-72-53 1.4    12.1(6)E   12.1(6)E
3   00-03-6c-29-ba-b0 to 00-03-6c-29-ba-df 1.4    5.4(2)     5.5(7)

Mod Sub-Type                Sub-Model           Sub-Serial  Sub-Hw
--- ----------------------- ------------------- ----------- ------
1   L3 Switching Engine     WS-F6K-PFC          SAD04240L70 1.1
2   L3 Switching Engine     WS-F6K-PFC          SAD04220KC5 1.1
Cat6000> (enable)

In this example, assume that this Catalyst 6509 is a core switch in the network. The dual MSFCs in the switch will function as NTP servers for other routers and switches in the network (including the supervisor engine on this switch itself).

The MSFCs will synchronize their clocks to a master NTP server located in a remote subnet in the network. In practice, this might be a private local NTP server, or a public NTP server. In either case, this server would typically synchronize its time with another, lower stratum clock, such as an atomic clock.

The dual MSFCs in this example have configuration synchronization (config-sync) enabled. This automatically synchronizes the configuration on the designated MSFC to the non-designated MSFC. See the Related Information

Related Cisco Support Community Discussions section for more information on config-sync.

Here is the configuration of MSFC15 (the designated MSFC). The configuration on MSFC16 is exactly the same, with the exception that for those commands where the alt command is specified, MSFC16 uses the command after the alt keyword. For example, the hostname of MSFC15 is MSFC15; the hostname of MSFC16 is MSFC16.

version 12.1
no service pad
!

!--- Enable service timestamps datetime!

service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
!
no service password-encryption
!
!

!--- Hostnames for the MSFCs.

hostname MSFC15 alt hostname MSFC16
!
boot system flash bootflash:c6msfc-jsv-mz.121-6.E.bin
enable password cisco
!
!
!Both MSFCs are in the PST timezone
clock timezone PST -8
!

!--- Both MSFCs will adjust the clock for Daylight Saving Time.

clock summer-time PDT recurring
!

!--- If connectivity to the NTP server is lost, the calendar is used.

!as an authoritative time source
clock calendar-valid
!
!
ip subnet-zero
!
!
no ip finger
ip domain-name corp.com
ip name-server 172.16.55.120
ip name-server 171.16.60.120
!
!
!config-sync is enabled
redundancy
 high-availability
 config-sync
!
!
!

!--- Each MSFC has a loopback0 interface in a different /30 subnet.

interface Loopback0
 ip address 10.10.10.1 255.255.255.252 alt ip address 10.10.10.5 255.255.255.252
!
!

!--- VLAN 1 is the management subnet, where the switch sc0 interface is located.

interface Vlan1
 description Network Management Subnet
 ip address 172.16.100.2 255.255.255.0 alt ip address 172.16.100.3 255.255.255.0
 no ip redirects
 standby 1 priority 105 preempt alt standby 1 priority 100 preempt
 standby 1 ip 172.16.100.1 alt standby 1 ip 172.16.100.1
!

<VARIOUS VLAN INTERFACES NOT RELEVANT TO THIS EXAMPLE>

!
router eigrp 10
 network 10.0.0.0
 network 172.0.0.0
 network 172.0.0.0 0.255.255.255
 no auto-summary
 eigrp log-neighbor-changes
!
ip classless
no ip http server
!
!
!
line con 0
 transport input none
line vty 0 4
 password cisco
 login
 transport input lat pad mop telnet rlogin udptn nasi
!
!

!--- Each MSFC uses the IP address of the loopback0 interface as
!--- the source IP for NTP packets.

ntp source Loopback0
!

!--- The MSFCs will update the hardware calendar with the NTP time.

ntp update-calendar
!

!--- Both MSFCs are getting the time from 10.100.100.1.

ntp server 10.100.100.1
!
end

Note: Some commands do not support the alt keyword, and therefore cannot be used with config-sync. An example is the ntp peer command. Config-sync support for this command would allow MSFC15 and MSFC16 to establish an NTP peer relationship. If this is a requirement in your network, you can disable config-sync and manually ensure that the configurations on the two MSFCs meets the requirements for dual MSFC systems. See the Related Information

Related Cisco Support Community Discussions section for more information.

On the supervisor engine, the sc0 management interface (172.16.100.100) belongs to VLAN 1. The default gateway for the switch is the Hot Standby Router Protocol (HSRP) IP address on the VLAN 1 interface (172.16.100.1)

The supervisor engine points to two NTP servers for redundancy, the loopback0 interfaces on MSFC15 and MSFC16. Other switches and routers in the network are configured to do the same.

One disadvantage of this implementation is that if the entire switch fails, other devices in the network become unsynchronized. An alternate configuration for redundancy would have MSFCs in different chassis configured as NTP servers, so that if one chassis fails, the other continues to function as the NTP server.

This is the NTP configuration on the switch:

#ntp
#
#NTP client mode is enabled
set ntp client enable
#
#NTP server IP addresses (loopback0 interfaces on MSFC15 and MSFC16)
set ntp server 10.10.10.1
set ntp server 10.10.10.5
#
#Switch is in the PST timezone
set timezone PST -8 0
#
#Switch will adjust clock for Daylight Saving Time
set summertime enable PDT
set summertime recurring first Sunday April 02:00 last Sunday October 02:00 60

Using NTP Authentication

NTP authentication adds a level of security to your NTP configuration. You configure an NTP key string on each device. The key is encrypted using a Message Digest 5 (MD5) hashing algorithm, and the encrypted key is passed in each NTP packet. Before an NTP packet is processed, the key is checked against the configured key on the receiving device.

This is the configuration of MSFC15 (the designated MSFC) with the added NTP authentication commands. The configuration on MSFC16 is exactly the same.


!--- The key string for NTP authentication key 10 is "ticktock"


!--- (the key string is shown encrypted in the configuration)

ntp authentication-key 10 md5 ticktock
!

!--- Enables NTP authentication

ntp authenticate
!

!--- Makes NTP authentication key "10" a trusted key

ntp trusted-key 10
!
ntp source Loopback0
ntp update-calendar
ntp server 10.100.100.1

This is the NTP configuration on the switch with NTP authentication enabled:

#ntp
set ntp client enable
#
#Enables NTP authentication
set ntp authentication enable
#
#The key string for NTP authentication key 10 is "ticktock"
#(the key string is shown encrypted in the configuration)
set ntp key 10 trusted md5 ticktock
#
#NTP server IP addresses, configured to use authentication key 10
set ntp server 10.10.10.1 key 10
set ntp server 10.10.10.5 key 10
#
set timezone PST -8 0
set summertime enable PDT
set summertime recurring first Sunday April 02:00 last Sunday October 02:00 60

Troubleshooting

Clock is Unsynchronized

The clock is unsynchronized issue occurs when the NTP master does not authenticate the NTP client request. This type of issue can occur when the authentication-key and password are not configured on the master end.

This clock unsynchronization can be confirmed with the output of the show ntp status and show ntp association detail commands.

R2#show ntp status
Clock is unsynchronized, stratum 16, no reference clock

!--- Output suppressed.

From the previous show command output, the Clock is unsynchronized and no reference clock confirm the clock unsynchronization

R2#show ntp association detail
12.0.0.1 configured, insane, invalid, unsynced, stratum 16

!--- Output suppressed.

From this output, insane, invalid, unsynced confirms the clock unsynchronization of client with the master.

Related Information

Updated: Mar 23, 2005
Document ID: 14978