Cisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 6.x
Configuring NTP
Downloads: This chapterpdf (PDF - 412.0KB) The complete bookPDF (PDF - 8.94MB) | Feedback

Table Of Contents

Configuring NTP

Information About NTP

NTP Overview

NTP Associations

NTP Broadcast Associations

NTP Multicast Associations

NTP as Time Server

Distributing NTP Using CFS

Clock Manager

High Availability

Virtualization Support

Licensing Requirements for NTP

Prerequisites for NTP

Guidelines and Limitations

Default Settings

Configuring NTP

Enabling or Disabling NTP in a VDC

Enabling or Disabling NTP on an Interface

Configuring the Device as an Authoritative NTP Server

Configuring an NTP Server and Peer

Configuring NTP Authentication

Configuring NTP Access Restrictions

Configuring the NTP Source IP Address

Configuring the NTP Source Interface

Configuring an NTP Broadcast Server

Configuring an NTP Multicast Server

Configuring an NTP Multicast Client

Configuring NTP on a Secondary (Nondefault) VDC

Configuring NTP Logging

Enabling CFS Distribution for NTP

Committing NTP Configuration Changes

Discarding NTP Configuration Changes

Releasing the CFS Session Lock

Verifying the NTP Configuration

Configuration Examples for NTP

Additional References

Related Documents

MIBs

Feature History for NTP


Configuring NTP


This chapter describes how to configure the Network Time Protocol (NTP) on Cisco NX-OS devices.

This chapter includes the following sections:

Information About NTP

Licensing Requirements for NTP

Prerequisites for NTP

Guidelines and Limitations

Default Settings

Configuring NTP

Verifying the NTP Configuration

Configuration Examples for NTP

Additional References

Feature History for NTP

Information About NTP

This section includes the following topics:

NTP Overview

NTP Associations

NTP as Time Server

Distributing NTP Using CFS

Clock Manager

High Availability

Virtualization Support

NTP Overview

The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients so that you can correlate events when you receive system logs and other time-specific events from multiple network devices. NTP uses the User Datagram Protocol (UDP) as its transport protocol. All NTP communications use Coordinated Universal Time (UTC).

An NTP server usually receives its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server, and then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each other.

NTP uses a stratum to describe the distance between a network device and an authoritative time source:

A stratum 1 time server is directly attached to an authoritative time source (such as a radio or atomic clock or a GPS time source).

A stratum 2 NTP server receives its time through NTP from a stratum 1 time server.

Before synchronizing, NTP compares the time reported by several network devices and does not synchronize with one that is significantly different, even if it is a stratum 1. Because Cisco NX-OS cannot connect to a radio or atomic clock and act as a stratum 1 server, we recommend that you use the public NTP servers available on the Internet. If the network is isolated from the Internet, Cisco NX-OS allows you to configure the time as though it were synchronized through NTP, even though it was not.


Note You can create NTP peer relationships to designate the time-serving hosts that you want your network device to consider synchronizing with and to keep accurate time if a server failure occurs.


The time kept on a device is a critical resource, so we strongly recommend that you use the security features of NTP to avoid the accidental or malicious setting of incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.

NTP Associations

An NTP association can be one of the following:

A peer association—The device can either synchronize to another device or allow another device to synchronize to it.

A server association—The device synchronizes to a server.

You need to configure only one end of an association. The other device can automatically establish the association.

NTP Broadcast Associations

In a broadcast-based NTP association, an NTP server sends NTP broadcast packets throughout a network. Broadcast clients listen for the NTP broadcast packets sent by the server and do not engage in any polling.

NTP broadcast servers allow you to synchronize a large number of clients without creating a lot of NTP traffic because unsolicited messages are sent to a designated IPv4 local broadcast address, and ordinarily no request is expected from the clients.

NTP Multicast Associations

When the device operates as an NTP multicast server, it sends NTP multicast messages to a designated IPv4 or IPv6 multicast group IP address.

When the device operates as an NTP multicast client, it listens for NTP multicast packets that are sent by an NTP multicast server to a designated IPv4 or IPv6 multicast group IP address.

NTP multicast servers allow you to synchronize a large number of clients without creating a lot of NTP traffic because unsolicited messages are sent to a designated multicast group address, and ordinarily no request is expected from the clients.

NTP as Time Server

Beginning with Cisco NX-OS Release 5.2, the Cisco NX-OS device can use NTP to distribute time. Other devices can configure it as a time server. You can also configure the device to act as an authoritative NTP server, enabling it to distribute time even when it is not synchronized to an outside time source.

Distributing NTP Using CFS

Cisco Fabric Services (CFS) distributes the local NTP configuration to all Cisco devices in the network. After enabling CFS on your device, a network-wide lock is applied to NTP whenever an NTP configuration is started. After making the NTP configuration changes, you can discard or commit them. In either case, the CFS lock is then released from the NTP application.

For more information about CFS, see the "Configuring CFS" section.

Clock Manager

Clocks are resources that need to be shared across different processes and across different virtual device contexts (VDCs). Multiple time synchronization protocols, such as NTP and Precision Time Protocol (PTP), might be running in the system, and multiple instances of the same protocol might be running in different VDCs.

Beginning with Cisco NX-OS Release 5.2, the clock manager allows you to specify the protocol and a VDC running that protocol to control the various clocks in the system. Once you specify the protocol and VDC, the system clock starts updating. For information on configuring the clock manager, see the Cisco Nexus 7000 Series NX-OS Fundamentals Configuration Guide.

High Availability

Stateless restarts are supported for NTP. After a reboot or a supervisor switchover, the running configuration is applied. For more information on high availability, see the Cisco Nexus 7000 Series NX-OS High Availability and Redundancy Guide.

You can configure NTP peers to provide redundancy in case an NTP server fails.

Virtualization Support

If you are running a Cisco NX-OS Release prior to 5.2, up to one instance of NTP is supported on the entire platform. You must configure NTP in the default virtual device context (VDC), and you are automatically placed in the default VDC unless you specify otherwise.

If you are running Cisco NX-OS Release 5.2 or later, multiple instances of NTP are supported, one instance per VDC. By default, Cisco NX-OS places you in the default VDC unless you specifically configure another VDC.

Only one VDC (the default VDC by default) synchronizes the system clock at any given time. The NTP daemon in all other VDCs acts only as an NTP server for the other devices. To change which VDC synchronizes the system clock, use the clock protocol ntp vdc vdc-id command.

NTP recognizes virtual routing and forwarding (VRF) instances. NTP uses the default VRF if you do not configure a specific VRF for the NTP server and NTP peer. See the Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide for more information about VRFs.

For more information about VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide.

Licensing Requirements for NTP

Product
License Requirement

Cisco NX-OS

NTP requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.


Prerequisites for NTP

NTP has the following prerequisites:

To configure NTP, you must have connectivity to at least one server that is running NTP.

To configure VDCs, you must install the appropriate license. See the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide for configuration information and the Cisco NX-OS Licensing Guide for licensing information.

Guidelines and Limitations

NTP has the following configuration guidelines and limitations:

NTP server functionality is supported starting in Cisco NX-OS Release 5.2.

You should have a peer association with another device only when you are sure that your clock is reliable (which means that you are a client of a reliable NTP server).

A peer configured alone takes on the role of a server and should be used as a backup. If you have two servers, you can configure several devices to point to one server and the remaining devices to point to the other server. You can then configure a peer association between these two servers to create a more reliable NTP configuration.

If you have only one server, you should configure all the devices as clients to that server.

You can configure up to 64 NTP entities (servers and peers).

If CFS is disabled for NTP, then NTP does not distribute any configuration and does not accept a distribution from other devices in the network.

After CFS distribution is enabled for NTP, the entry of an NTP configuration command locks the network for NTP configuration until a commit command is entered. During the lock, no changes can be made to the NTP configuration by any other device in the network except the device that initiated the lock.

If you use CFS to distribute NTP, all devices in the network should have the same VRFs configured as you use for NTP.

If you configure NTP in a VRF, ensure that the NTP server and peers can reach each other through the configured VRFs.

You must manually distribute NTP authentication keys on the NTP server and Cisco NX-OS devices across the network.

Use NTP broadcast or multicast associations when time accuracy and reliability requirements are modest, your network is localized, and the network has more than 20 clients. We recommend that you use NTP broadcast or multicast associations in networks that have limited bandwidth, system memory, or CPU resources.


Note Time accuracy is marginally reduced in NTP broadcast associations because information flows only one way.


Default Settings

Table 3-1 lists the default settings for NTP parameters.

Table 3-1 Default NTP Parameters 

Parameters
Default

NTP

Enabled in all VDCs and for all interfaces

NTP passive (enabling NTP to form associations)

Enabled

NTP authentication

Disabled

NTP access

Enabled

NTP access group match all

Disabled

NTP broadcast server

Disabled

NTP multicast server

Disabled

NTP multicast client

Disabled

NTP logging

Disabled


Configuring NTP

This section includes the following topics:

Enabling or Disabling NTP in a VDC

Enabling or Disabling NTP on an Interface

Configuring the Device as an Authoritative NTP Server

Configuring an NTP Server and Peer

Configuring NTP Authentication

Configuring NTP Access Restrictions

Configuring the NTP Source IP Address

Configuring the NTP Source Interface

Configuring an NTP Broadcast Server

Configuring an NTP Multicast Server

Configuring an NTP Multicast Client

Configuring NTP on a Secondary (Nondefault) VDC

Configuring NTP Logging

Enabling CFS Distribution for NTP

Committing NTP Configuration Changes

Discarding NTP Configuration Changes

Releasing the CFS Session Lock


Note Be aware that the Cisco NX-OS commands for this feature may differ from those commands used in Cisco IOS.


Enabling or Disabling NTP in a VDC

You can enable or disable NTP in a particular VDC. NTP is enabled in all VDCs by default.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. [no] feature ntp

3. (Optional) show ntp status

4. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

[no] feature ntp

Example:

switch(config)# feature ntp

Enables or disables NTP in a particular VDC. NTP is enabled by default.

Note If you are running a Cisco NX-OS Release prior to 5.2, NTP is enabled or disabled using the [no] ntp enable command.

Step 3 

show ntp status

Example:

switch(config)# show ntp status

Distribution: Enabled

Last operational state: Fabric Locked

(Optional) Displays the status of the NTP application.

Step 4 

copy running-config startup-config

Example:

switch(config)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

This example shows how to disable NTP:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)# no feature ntp

Enabling or Disabling NTP on an Interface

You can enable or disable NTP on a particular interface. NTP is enabled on all interfaces by default.

SUMMARY STEPS

1. config t

2. interface type slot/port

3. [no] ntp disable {ip | ipv6}

4. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

interface type slot/port

Example:

switch(config)# interface ethernet 6/1
switch(config-if)#

Enters interface configuration mode.

Step 3 

[no] ntp disable {ip | ipv6}

Example:

switch(config-if)# ntp disable ip

Disables NTP IPv4 or IPv6 on the specified interface. Use the no form of this command to reenable NTP on the interface.

Step 4 

copy running-config startup-config

Example:

switch(config-if)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Configuring the Device as an Authoritative NTP Server

You can configure the device to act as an authoritative NTP server, enabling it to distribute time even when it is not synchronized to an existing time server.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. [no] ntp master [stratum]

3. (Optional) show running-config ntp

4. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

[no] ntp master [stratum]

Example:

switch(config)# ntp master

Configures the device as an authoritative NTP server.

You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.

Step 3 

show running-config ntp

Example:

switch(config)# show running-config ntp

(Optional) Displays the NTP configuration.

Step 4 

copy running-config startup-config

Example:

switch(config)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

This example shows how to configure the Cisco NX-OS device as an authoritative NTP server with a different stratum level:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)# ntp master 5

Configuring an NTP Server and Peer

You can configure an NTP server and peer.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

Make sure you know the IP address or DNS names of your NTP server and its peers.

If you plan to use CFS to distribute your NTP configuration to other devices, then you should have already completed the following:

Enabled CFS distribution using the "Configuring CFS Distribution" section.

Enabled CFS for NTP using the "Enabling CFS Distribution for NTP" section.

SUMMARY STEPS

1. config t

2. [no] ntp passive

3. [no] ntp server {ip-address | ipv6-address | dns-name} [key key-id] [maxpoll max-poll] [minpoll min-poll] [prefer] [use-vrf vrf-name]

4. [no] ntp peer {ip-address | ipv6-address | dns-name} [key key-id] [maxpoll max-poll] [minpoll min-poll] [prefer] [use-vrf vrf-name]

5. (Optional) show ntp peers

6. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

[no] ntp passive

Example:

switch(config)# ntp passive

Enables NTP to send synchronization responses and form associations. Use the no form of this command to prevent NTP from forming associations.

Note This command is available beginning with Cisco NX-OS Release 6.2(2). In previous releases, associations are enabled automatically and cannot be disabled.

Step 3 

[no] ntp server {ip-address | ipv6-address | dns-name} [key key-id] [maxpoll max-poll] [minpoll min-poll] [prefer] [use-vrf vrf-name]

Example:

switch(config)# ntp server 192.0.2.10

Forms an association with a server.

Use the key keyword to configure a key to be used while communicating with the NTP server. The range for the key-id argument is from 1 to 65535.

Use the maxpoll and minpoll keywords to configure the maximum and minimum intervals in which to poll a peer. The range for the max-poll and min-poll arguments is from 4 to 16 seconds, and the default values are 6 and 4, respectively.

Use the prefer keyword to make this server the preferred NTP server for the device.

Use the use-vrf keyword to configure the NTP server to communicate over the specified VRF. The vrf-name argument can be default, management, or any case-sensitive, alphanumeric string up to 32 characters.

Note If you configure a key to be used while communicating with the NTP server, make sure that the key exists as a trusted key on the device. For more information on trusted keys, see the "Configuring NTP Authentication" section.

Step 4 

[no] ntp peer {ip-address | ipv6-address | dns-name} [key key-id] [maxpoll max-poll] [minpoll min-poll] [prefer] [use-vrf vrf-name]

Example:

switch(config)# ntp peer 2001:0db8::4101

Forms an association with a peer. You can specify multiple peer associations.

Use the key keyword to configure a key to be used while communicating with the NTP peer. The range for the key-id argument is from 1 to 65535.

Use the maxpoll and minpoll keywords to configure the maximum and minimum intervals in which to poll a peer. The range for the max-poll and min-poll arguments is from 4 to 17 seconds, and the default values are 6 and 4, respectively.

Use the prefer keyword to make this peer the preferred NTP peer for the device.

Use the use-vrf keyword to configure the NTP peer to communicate over the specified VRF. The vrf-name argument can be default, management, or any case-sensitive, alphanumeric string up to 32 characters.

Step 5 

show ntp peers

Example:

switch(config)# show ntp peers

(Optional) Displays the configured server and peers.

Note A domain name is resolved only when you have a DNS server configured.

Step 6 

copy running-config startup-config

Example:

switch(config)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

This example shows how to enable NTP to send synchronization responses and form associations and to configure an NTP server and peer:

switch# config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)# ntp passive
switch(config)# ntp server 192.0.2.10 key 10 use-vrf Red
switch(config)# ntp peer 2001:0db8::4101 prefer use-vrf Red
switch(config)# show ntp peers
--------------------------------------------------
  Peer IP Address               Serv/Peer          
--------------------------------------------------
  2001:0db8::4101                Peer (configured) 
  192.0.2.10								 Server (configured) 
switch(config)# copy running-config startup-config
[########################################] 100%

switch(config)#

Configuring NTP Authentication

You can configure the device to authenticate the time sources to which the local clock is synchronized. When you enable NTP authentication, the device synchronizes to a time source only if the source carries one of the authentication keys specified by the ntp trusted-key command. The device drops any packets that fail the authentication check and prevents them from updating the local clock. NTP authentication is disabled by default.

BEFORE YOU BEGIN

Make sure that you configured the NTP server with the authentication keys that you plan to specify in this procedure. See the "Configuring an NTP Server and Peer" section for information.

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. [no] ntp authentication-key number md5 md5-string

3. (Optional) show ntp authentication-keys

4. [no] ntp trusted-key number

5. (Optional) show ntp trusted-keys

6. [no] ntp authenticate

7. (Optional) show ntp authentication-status

8. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

[no] ntp authentication-key number md5 md5-string

switch(config)# ntp authentication-key 42 md5 aNiceKey

Defines the authentication keys. The device does not synchronize to a time source unless the source has one of these authentication keys and the key number is specified by the ntp trusted-key number command.

The range for authentication keys is from 1 to 65535. For the MD5 string, you can enter up to eight alphanumeric characters.

The range for authentication keys is from 1 to 65535. Cisco NX-OS Release 6.1 and later 6.x releases support up to 15 alphanumeric characters for the MD5 string. Earlier 6.x releases support up to 8 alphanumeric characters.

Step 3 

show ntp authentication-keys

Example:

switch(config)# show ntp authentication-keys

(Optional) Displays the configured NTP authentication keys.

Step 4 

[no] ntp trusted-key number

Example:

switch(config)# ntp trusted-key 42

Specifies one or more keys (defined in Step 2) that a time source must provide in its NTP packets in order for the device to synchronize to it. The range for trusted keys is from 1 to 65535.

This command provides protection against accidentally synchronizing the device to a time source that is not trusted.

Step 5 

show ntp trusted-keys

Example:

switch(config)# show ntp trusted-keys

(Optional) Displays the configured NTP trusted keys.

Step 6 

[no] ntp authenticate

Example:

switch(config)# ntp authenticate

Enables or disables the NTP authentication feature. NTP authentication is disabled by default.

Step 7 

show ntp authentication-status

Example:

switch(config)# show ntp authentication-status

(Optional) Displays the status of NTP authentication.

Step 8 

copy running-config startup-config

Example:

switch(config)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

This example shows how to configure the device to synchronize only to time sources that provide authentication key 42 in their NTP packets:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)# ntp authentication-key 42 md5 aNiceKey

switch(config)# ntp trusted-key 42

switch(config)# ntp authenticate

switch(config)# copy running-config startup-config

[########################################] 100%

switch(config)#

Configuring NTP Access Restrictions

You can control access to NTP services by using access groups. Specifically, you can specify the types of requests that the device allows and the servers from which it accepts responses.

If you do not configure any access groups, NTP access is granted to all devices. If you configure any access groups, NTP access is granted only to the remote device whose source IP address passes the access list criteria.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. [no] ntp access-group {peer | serve | serve-only | query-only} access-list-name

3. (Optional) [no] ntp access-group match-all

4. (Optional) show ntp access-groups

5. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

[no] ntp access-group {peer | serve | serve-only | query-only} access-list-name

Example:

switch(config)# ntp access-group peer accesslist1

Creates or removes an access group to control NTP access and applies a basic IP access list.

Beginning with Cisco NX-OS Release 6.2(2), the access group options are scanned in the following order, from least restrictive to most restrictive. In prior releases, ACL processing stops and does not continue to the next access group option if NTP matches a deny ACL rule in a configured peer.

The peer keyword enables the device to receive time requests and NTP control queries and to synchronize itself to the servers specified in the access list.

The serve keyword enables the device to receive time requests and NTP control queries from the servers specified in the access list but not to synchronize itself to the specified servers.

The serve-only keyword enables the device to receive only time requests from servers specified in the access list.

The query-only keyword enables the device to receive only NTP control queries from the servers specified in the access list.

Step 3 

[no] ntp access-group match-all

Example:

switch(config)# ntp access-group match-all

(Optional) Causes the access group options to be scanned in the following order, from least restrictive to most restrictive: peer, serve, serve-only, query-only. If the incoming packet does not match the peer access group, the packet goes to the serve access group to be processed. If the packet does not match the serve access group, it goes to the next access group and so on. This command also enables IPv6 access group processing.

Note This command is available beginning with Cisco NX-OS Release 6.2(2). If you enter the no form of this command, do not run this command, or create an access group using an earlier version of Cisco NX-OS, ACL processing stops and does not continue to the next access group option if the incoming packet does not match the peer access group or if NTP matches a deny ACL rule in a configured peer.

Step 4 

show ntp access-groups

Example:

switch(config)# show ntp access-groups

(Optional) Displays the NTP access group configuration.

Step 5 

copy running-config startup-config

Example:

switch(config)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

This example shows how to configure the device to allow it to synchronize to a peer from access group "accesslist1":

switch# config t

switch(config)# ntp access-group peer accesslist1

switch(config)# ntp access-group match-all

switch(config)# show ntp access-groups

Access List Type

-----------------------------

accesslist1 Peer

switch(config)# copy running-config startup-config

[########################################] 100%

switch(config)#

Configuring the NTP Source IP Address

NTP sets the source IP address for all NTP packets based on the address of the interface through which the NTP packets are sent. You can configure NTP to use a specific source IP address.

To configure the NTP source IP address, use the following command in global configuration mode:

Command
Purpose

[no] ntp source ip-address

Example:

switch(config)# ntp source 192.0.2.1

Configures the source IP address for all NTP packets. The ip-address can be in IPv4 or IPv6 format.


Configuring the NTP Source Interface

You can configure NTP to use a specific interface.

To configure the NTP source interface, use the following command in global configuration mode:

Command
Purpose

[no] ntp source-interface interface

Example:

switch(config)# ntp source-interface ethernet 2/1

Configures the source interface for all NTP packets. Use the ? keyword to display a list of supported interfaces.


Configuring an NTP Broadcast Server

You can configure an NTP IPv4 broadcast server on an interface. The device then sends broadcast packets through that interface periodically. The client is not required to send a response.

BEFORE YOU BEGIN

Use the switchto vdc command to switch to the desired nondefault VDC.

SUMMARY STEPS

1. config t

2. interface type slot/port

3. [no] ntp broadcast [destination ip-address] [key key-id] [version number]

4. exit

5. (Optional) [no] ntp broadcastdelay delay

6. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

interface type slot/port

Example:

switch(config)# interface ethernet 6/1
switch(config-if)#

Enters interface configuration mode.

Step 3 

[no] ntp broadcast [destination ip-address] [key key-id] [version number]

Example:

switch(config-if)# ntp broadcast destination 192.0.2.10

Enables an NTP IPv4 broadcast server on the specified interface.

destination ip-address—Configures the broadcast destination IP address.

key key-id—Configures the broadcast authentication key number. The range is from 1 to 65535.

version number—Configures the NTP version. The range is from 2 to 4.

Step 4 

exit

Example:

switch(config-if)# exit
switch(config)#

Exits interface configuration mode.

Step 5 

[no] ntp broadcastdelay delay

Example:

switch(config)# ntp broadcastdelay 100

(Optional) Configures the estimated broadcast round-trip delay in microseconds. The range is from 1 to 999999.

Step 6 

copy running-config startup-config

Example:

switch(config)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

This example shows how to configure an Ethernet interface to send NTP broadcast packets:

switch# configure terminal
switch(config)# interface ethernet6/1
switch(config-if)# ntp broadcast 192.0.2.10

Configuring an NTP Multicast Server

You can configure an NTP IPv4 or IPv6 multicast server on an interface. The device then sends multicast packets through that interface periodically.

BEFORE YOU BEGIN

Use the switchto vdc command to switch to the desired nondefault VDC.

SUMMARY STEPS

1. config t

2. interface type slot/port

3. [no] ntp multicast [ipv4-address | ipv6-address] [key key-id] [ttl value] [version number]

4. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

interface type slot/port

Example:

switch(config)# interface ethernet 6/1
switch(config-if)#

Enters interface configuration mode.

Step 3 

[no] ntp multicast [ipv4-address | ipv6-address] [key key-id] [ttl value] [version number]

Example:

switch(config-if)# ntp multicast FF02:1::FF0E:8C6C

Enables an NTP IPv4 or IPv6 multicast server on the specified interface.

ipv4-address or ipv6-address—Configures the multicast IPv4 or IPv6 address.

key key-id—Configures the broadcast authentication key number. The range is from 1 to 65535.

ttl value—The time-to-live value of the multicast packets. The range is from 1 to 255.

version number—Configures the NTP version. The range is from 2 to 4.

Step 4 

copy running-config startup-config

Example:

switch(config-if)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

This example shows how to configure an Ethernet interface to send NTP multicast packets:

switch# configure terminal
switch(config)# interface ethernet2/2
switch(config-if)# ntp multicast FF02::1:FF0E:8C6C

Configuring an NTP Multicast Client

You can configure an NTP multicast client on an interface. The device then listens to NTP multicast messages and discards any messages that come from an interface for which multicast is not configured.

BEFORE YOU BEGIN

Use the switchto vdc command to switch to the desired nondefault VDC.

SUMMARY STEPS

1. config t

2. interface type slot/port

3. [no] ntp multicast client [ipv4-address | ipv6-address]

4. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

interface type slot/port

Example:

switch(config)# interface ethernet 6/1
switch(config-if)#

Enters interface configuration mode.

Step 3 

[no] ntp multicast client [ipv4-address | ipv6-address]

Example:

switch(config-if)# ntp multicast client FF02:1::FF0E:8C6C

Enables the specified interface to receive NTP multicast packets.

Step 4 

copy running-config startup-config

Example:

switch(config-if)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

This example shows how to configure an Ethernet interface to receive NTP multicast packets:

switch# configure terminal
switch(config)# interface ethernet2/3
switch(config-if)# ntp multicast client FF02::1:FF0E:8C6C

Configuring NTP on a Secondary (Nondefault) VDC

You can configure a nondefault VDC to get a timing update from the default VDC and its clients in order to synchronize with it.

BEFORE YOU BEGIN

Use the switchto vdc command to switch to the desired nondefault VDC.

SUMMARY STEPS

1. config t

2. feature ntp

3. ntp master

4. (Optional) ntp source-interface interface

5. (Optional) ntp source ip-address

6. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

feature ntp

Example:

switch(config)# feature ntp

Enables NTP in the nondefault VDC.

Step 3 

ntp master

Example:

switch(config)# ntp master

Configures the device as an authoritative NTP server.

Step 4 

ntp source-interface interface

Example:

switch(config)# ntp source-interface ethernet 2/1

(Optional) Configures the source interface for all NTP packets. Use the ? keyword to display a list of supported interfaces.

Step 5 

ntp source ip-address

Example:

switch(config)# ntp source 192.0.2.1

(Optional) Configures the source IP address for all NTP packets. The ip-address can be in IPv4 or IPv6 format.

Step 6 

copy running-config startup-config

Example:

switch(config)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Configuring NTP Logging

You can configure NTP logging in order to generate system logs with significant NTP events. NTP logging is disabled by default.

BEFORE YOU BEGIN

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

1. config t

2. [no] ntp logging

3. (Optional) show ntp logging-status

4. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

[no] ntp logging

Example:

switch(config)# ntp logging

Enables or disables system logs to be generated with significant NTP events. NTP logging is disabled by default.

Step 3 

show ntp logging-status

Example:

switch(config)# show ntp logging-status

(Optional) Displays the NTP logging configuration status.

Step 4 

copy running-config startup-config

Example:

switch(config)# copy running-config 
startup-config

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

This example shows how to enable NTP logging in order to generate system logs with significant NTP events:

switch# config t

switch(config)# ntp logging

switch(config)# copy running-config startup-config

[########################################] 100%

switch(config)#

Enabling CFS Distribution for NTP

You can enable CFS distribution for NTP in order to distribute the NTP configuration to other CFS-enabled devices.

BEFORE YOU BEGIN

Make sure that you have enabled CFS distribution for the device using the "Configuring CFS Distribution" section.

SUMMARY STEPS

1. config t

2. [no] ntp distribute

3. (Optional) show ntp status

4. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t

Example:

switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

Enters global configuration mode.

Step 2 

[no] ntp distribute

Example:

switch(config)# ntp distribute

Enables or disables the device to receive NTP configuration updates that are distributed through CFS.

Step 3 

show ntp status

Example:

switch(config)# show ntp status

(Optional) Displays the NTP CFS distribution status.

Step 4 

copy running-config startup-config

Example:

switch(config)# copy running-config 
startup-config 

(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Committing NTP Configuration Changes

When you commit the NTP configuration changes, the effective database is overwritten by the configuration changes in the pending database and all the devices in the network receive the same configuration.

To commit the NTP configuration changes, use the following command in global configuration mode:

Command
Purpose

ntp commit

Example:

switch(config)# ntp commit

Distributes the NTP configuration changes to all Cisco NX-OS devices in the network and releases the CFS lock. This command overwrites the effective database with the changes made to the pending database.


Discarding NTP Configuration Changes

After making the configuration changes, you can choose to discard the changes instead of committing them. If you discard the changes, Cisco NX-OS removes the pending database changes and releases the CFS lock.

To discard NTP configuration changes, use the following command in global configuration mode:

Command
Purpose

ntp abort

Example:

switch(config)# ntp abort

Discards the NTP configuration changes in the pending database and releases the CFS lock. Use this command on the device where you started the NTP configuration.


Releasing the CFS Session Lock

If you have performed an NTP configuration and have forgotten to release the lock by either committing or discarding the changes, you or another administrator can release the lock from any device in the network. This action also discards pending database changes.

To release the session lock from any device and discard any pending database changes, use the following command in global configuration mode:

Command
Purpose

clear ntp session

Example:

switch(config)# clear ntp session

Discards the NTP configuration changes in the pending database and releases the CFS lock.


Verifying the NTP Configuration

To display the NTP configuration, perform one of the following tasks:

Command
Purpose

show ntp access-groups

Displays the NTP access group configuration.

show ntp authentication-keys

Displays the configured NTP authentication keys.

show ntp authentication-status

Displays the status of NTP authentication.

show ntp internal

Displays internal NTP information.

show ntp logging-status

Displays the NTP logging status.

show ntp peer-status

Displays the status for all NTP servers and peers.

show ntp peers

Displays all the NTP peers.

show ntp pending

Displays the temporary CFS database for NTP.

show ntp pending-diff

Displays the difference between the pending CFS database and the current NTP configuration.

show ntp rts-update

Displays the RTS update status.

show ntp session status

Displays the NTP CFS distribution session information.

show ntp source

Displays the configured NTP source IP address.

show ntp source-interface

Displays the configured NTP source interface.

show ntp statistics {io | local | memory | peer {ipaddr {ipv4-addr | ipv6-addr} | name peer-name}}

Displays the NTP statistics.

show ntp status

Displays the NTP CFS distribution status.

show ntp trusted-keys

Displays the configured NTP trusted keys.

show running-config ntp

Displays NTP information.


Use the clear ntp session command to clear the NTP sessions.

Use the clear ntp statistics command to clear the NTP statistics.

Configuration Examples for NTP

This example shows how to configure an NTP server and peer, enable NTP authentication, enable NTP logging, and then save the configuration in startup so that it is saved across reboots and restarts:

switch# config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)# ntp server 192.0.2.105 key 42
switch(config)# ntp peer 2001:0db8::4101
switch(config)# show ntp peers
--------------------------------------------------
  Peer IP Address               Serv/Peer          
--------------------------------------------------
  2001:db8::4101                Peer (configured) 
  192.0.2.105                   Server (configured) 
switch(config)# ntp authentication-key 42 md5 aNiceKey
switch(config)# show ntp authentication-keys
-----------------------------
 Auth key         MD5 String
-----------------------------
  42          		 	 	 	 	 aNicekey
switch(config)# ntp trusted-key 42
switch(config)# show ntp trusted-keys
Trusted Keys:
42
switch(config)# ntp authenticate
switch(config)# show ntp authentication-status
Authentication enabled.
switch(config)# ntp logging
switch(config)# show ntp logging
NTP logging enabled.
switch(config)# copy running-config startup-config
[########################################] 100%
switch(config)#  

This example shows an NTP access group configuration with the following restrictions:

Peer restrictions are applied to IP addresses that pass the criteria of the access list named "peer-acl."

Serve restrictions are applied to IP addresses that pass the criteria of the access list named "serve-acl."

Serve-only restrictions are applied to IP addresses that pass the criteria of the access list named "serve-only-acl."

Query-only restrictions are applied to IP addresses that pass the criteria of the access list named "query-only-acl."

switch# config t
switch(config)# ntp peer 10.1.1.1
switch(config)# ntp peer 10.2.2.2
switch(config)# ntp peer 10.3.3.3
switch(config)# ntp peer 10.4.4.4
switch(config)# ntp peer 10.5.5.5
switch(config)# ntp peer 10.6.6.6
switch(config)# ntp peer 10.7.7.7
switch(config)# ntp peer 10.8.8.8
switch(config)# ntp access-group peer peer-acl
switch(config)# ntp access-group serve serve-acl
switch(config)# ntp access-group serve-only serve-only-acl
switch(config)# ntp access-group query-only query-only-acl
switch(config)# ntp access-group match-all
 
 
switch(config)# ip access-list peer-acl
switch(config-acl)# 10 permit ip host 10.1.1.1 any
switch(config-acl)# 20 permit ip host 10.8.8.8 any
 
 
switch(config)# ip access-list serve-acl
switch(config-acl)# 10 permit ip host 10.4.4.4 any
switch(config-acl)# 20 permit ip host 10.5.5.5 any
 
 
switch(config)# ip access-list serve-only-acl
switch(config-acl)# 10 permit ip host 10.6.6.6 any
switch(config-acl)# 20 permit ip host 10.7.7.7 any
 
 
switch(config)# ip access-list query-only-acl
switch(config-acl)# 10 permit ip host 10.2.2.2 any
switch(config-acl)# 20 permit ip host 10.3.3.3 any

Additional References

For additional information related to implementing NTP, see the following sections:

Related Documents

MIBs

Related Documents

Related Topic
Document Title

NTP CLI commands

Cisco Nexus 7000 Series NX-OS System Management Command Reference

Clock manager

Cisco Nexus 7000 Series NX-OS Fundamentals Configuration Guide

VDCs and VRFs

Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide


MIBs

MIBs
MIBs Link

CISCO-NTP-MIB

To locate and download MIBs, go to the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


Feature History for NTP

Table 3-2 lists the release history for this feature.1

Table 3-2 Feature History for NTP  

Feature Name
Releases
Feature Information

NTP

6.2(2)

Introduced the ntp access-group match-all command to cause the access group options to be scanned in order, from least restrictive to most restrictive.

NTP

6.2(2)

Introduced the no ntp passive command to prevent NTP from forming associations.

NTP

6.2(2)

Added the ability to configure NTP broadcast and multicast servers and multicast clients on an interface.

NTP

6.2(2)

Added the ability to enable or disable NTP on an interface.

NTP

6.2(2)

NTP access group options are now scanned in order from least restrictive to most restrictive.

NTP

6.1(1)

Increased the length of NTP authentication keys from 8 to 15 alphanumeric characters.

NTP

5.2(3)

Increased the length of NTP authentication keys from 8 to 15 alphanumeric characters.

NTP

5.2(1)

Added NTP support for all VDCs, enabling them to act as time servers. See the "Virtualization Support" section.

NTP

5.2(1)

Changed the command to enable or disable NTP from [no] ntp enable to [no] feature ntp. See the "Enabling or Disabling NTP in a VDC" section.

NTP

5.2(1)

Added the ability to configure the device as an authoritative NTP server, enabling it to distribute time even when it is not synchronized to an existing time server. See the "Configuring the Device as an Authoritative NTP Server" section.

NTP access groups

5.2(1)

Added the serve, serve-only, and query-only access group options to control access to additional NTP services. See the "Configuring NTP Access Restrictions" section.

NTP access groups

5.0(2)

Added the ability to control access to NTP services by using access groups. See the "Configuring NTP Access Restrictions" section.

NTP authentication

5.0(2)

Added the ability to enable or disable NTP authentication. See the "Configuring NTP Authentication" section.

NTP logging

5.0(2)

Added the ability to enable or disable NTP logging. See the "Configuring NTP on a Secondary (Nondefault) VDC" section.

NTP server configuration

5.0(2)

Added the optional key keyword to the ntp server command to configure a key to be used while communicating with the NTP server. See the "Configuring an NTP Server and Peer" section.

CFS support

4.2(1)

Added the ability to distribute NTP configuration using CFS. See the "Enabling CFS Distribution for NTP" section.

NTP source IP address or interface

4.1(3)

Added the ability set the source IP address or source interface that NTP includes in all NTP packets sent to peers.

NTP

4.0(3)

Added the ability to disable NTP.

See the "Enabling or Disabling NTP in a VDC" section.