Cisco Catalyst SD-WAN Control Components and Device Management Guide, Releases 26.x and Later

PDF

Configuring NTP servers

Want to summarize with AI?

Log in

Configure NTP servers using a configuration group

Configuring network time for your network includes these tasks:

  1. Configure NTP servers and parameters as described in this procedure.

  2. Configure the timezone in a System profile, in a Basic feature.

Before you begin

On the Configuration > Configuration Groups page, choose SD-WAN as the solution type.

Perform these steps to configure NTP servers and parameters.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

2.

Create and configure an NTP feature in a System profile.

  1. Configure a server.

    Table 1. Server

    Field

    Description

    Add Server

    Hostname/IP address*

    Enter the IP address of an NTP server, or a DNS server that knows how to reach the NTP server.

    VPN to reach NTP Server*

    Enter the number of the VPN that should be used to reach the NTP server, or the VPN in which the NTP server is located. If you have configured multiple NTP servers, they must all be located or be reachable in the same VPN.

    Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here.

    Set authentication key for the server

    Specify the MD5 key associated with the NTP server, to enable MD5 authentication.

    For the key to work, you must mark it as trusted in the Trusted Key field under Authentication.

    Set NTP version*

    Enter the version number of the NTP protocol software.

    Range: 1 to 4

    Default: 4

    Set interface to use to reach NTP server

    Enter the name of a specific interface to use for outgoing NTP packets. The interface must be located in the same VPN as the NTP server. If it is not, the configuration is ignored.

    Prefer this NTP server*

    Enable this option if multiple NTP servers are at the same stratum level and you want one to be preferred. For servers at different stratum levels, Cisco Catalyst SD-WAN chooses the one at the highest stratum level.

  2. Configure authentication.

    Table 2. Authentication

    Field

    Description

    Add Authentication Keys

    Key Id*

    Enter an MD5 authentication key ID.

    Range: 1 to 65535

    MD5 Value*

    Enter an MD5 authentication key. Enter either a cleartext key or an AES-encrypted key.

    Trusted Key

    Enter the MD5 authentication key to designate the key as trustworthy. To associate this key with a server, enter the same value that you entered for the Set authentication key for the server field under Server.

  3. Configure advanced parameters.

    Table 3. Advanced

    Field

    Description

    Authoritative NTP Server

    Choose Global from the drop-down list, and enable this option if you want to configure one or more supported routers as a primary NTP router.

    Stratum

    Enter the stratum value for the primary NTP router. The stratum value defines the hierarchical distance of the router from its reference clock.

    Valid values: Integers 1 to 15. If you do not enter a value, the system uses the router internal clock default stratum value, which is 8.

    Source Interface

    Enter the name of the exit interface for NTP communication. If configured, the system sends NTP traffic to this interface.

    For example, enter GigabitEthernet1 or Loopback0.

What to do next

Refer to Deploy a Configuration Group in the Cisco Catalyst SD-WAN Configuration Groups Reference Guide.


Configure NTP servers and parameters using templates

Configure network time protocol (NTP) servers using a Cisco NTP feature template.

You can create a Cisco NTP feature template directly or through a device template.

Configuring network time for your network includes these tasks:

  1. Configure NTP servers and parameters as described in this procedure.

  2. Configure the timezone in a System template.

Before you begin

Perform these steps to configure NTP servers and parameters.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

2.

Select Feature Templates.

3.

Click Add Template.

4.

Select a platform.

5.

Click Cisco NTP.

6.

To add an NTP server:

  1. Click Server.

  2. Click New Server, and configure these parameters.

    Table 4. NTP server parameters

    Field

    Description

    Hostname/IP Address*

    IP address of an NTP server, or a DNS server that knows how to reach the NTP server.

    Authentication Key ID*

    Specify the MD5 authentication key associated with the NTP server, to enable authentication. For the key to work, you must mark it as trusted in the Trusted Keys field, under Authentication.

    Note

    From Cisco Catalyst SD-WAN Control Components Release 20.14.1, you can use CMAC-AES authentication when configuring NTP servers for Cisco SD-WAN Control Components. This requires configuration using a CLI template.

    VPN ID*

    Number of the VPN that should be used to reach the NTP server, or the VPN in which the NTP server is located. If you have configured multiple NTP servers, they must all be located or be reachable in the same VPN.

    The valid range is from 0 through 65530.

    Version*

    Version number of the NTP protocol software. The range is from 1 through 4. The default is 4.

    Source Interface

    Name of a specific interface to use for outgoing NTP packets. The interface must be located in the same VPN as the NTP server. If it is not, the configuration is ignored.

    Prefer

    Click On if multiple NTP servers are at the same stratum level and you want one to be preferred. For servers at different stratum levels, the software chooses the one at the highest stratum level.

  3. You can click Add to add another server.

  4. Click Save.

7.

To configure the authentication keys used to authenticate NTP servers:

  1. Click Authentication.

  2. Click the Authentication Key tab.

  3. Click New Authentication Key, and configure these parameters.

    Table 5. NTP authentication key parameters

    Field

    Description

    Authentication Key ID*

    • Authentication Key: Enter an authentication key ID.

      Range: 1 to 65535

    • Authentication Value: Enter either a cleartext key or an AES-encrypted key.

    Authentication Value*

    Enter an authentication key. For this key to be used, you must designate it as trusted. To associate a key with a server, enter the same value that you entered in the Authentication Key ID field under Server.

  4. Click Add.

8.

To configure the trusted keys used to authenticate NTP servers:

  1. Click Authentication.

  2. Click the Trusted Key tab.

  3. Configure these parameters.

    Table 6. Trusted key parameters

    Field

    Description

    Trusted Keys*

    Authentication key to designate the key as trustworthy. To associate this key with a server, enter the same value that you entered for the Authentication Key ID field under Server.


Configure NTP servers using CLI commands

Configure NTP servers using CLI commands in a CLI add-on profile or CLI add-on template.

Before you begin

Perform these steps to configure NTP servers.

Procedure

1.

Create a CLI add-on profile or CLI add-on template.

2.

Enter system configuration mode.

system
3.

Enter NTP configuration mode.

ntp
4.

Enter keys configuration mode.

keys
5.

Configure an authentication type to use for an NTP server. Assign a key for the authentication type, and assign one of these authentication methods: MD5, CMAC-AES-128. Using multiple instances of the authentication command, you can configure authentication for multiple NTP servers.

authentication authentication-key-id {md5 md5-authentication-key | cmac-aes-128 cmac-authentication-key}
Note

The CMAC-AES option is available from Cisco Catalyst SD-WAN Control Components Release 20.14.1.

6.

Designate an authentication type as trusted. Optionally, you can include multiple authentication key IDs.

trusted authentication-key-id {authentication-key-id}[authentication-key-id]
7.

Exit keys configuration mode.

exit
8.

Configure an NTP server, including the VPN and version, and optionally an authentication key. You can configure multiple NTP servers.

server {server-ip | fully-qualified-domain-name} 
key authentication-key 
vpn vpn-id 
version version-id 
exit 

Here is an example for configuring two authentication types and three NTP servers. Two servers are trusted and use an authentication key, and one server is generic. Authentication key 1001 uses MD5 and key 1002 uses CMAC-AES-128.

system ntp 
  keys 
    authentication 1001 md5 password1 
    authentication 1002 cmac-aes-128 password2
    trusted 1001 1002 
  ! 
  server 192.168.10.1 
    key 1001 
    vpn 512 
    version 4 
  exit 
  server 192.168.10.2 
    key 1002 
    vpn 512 
    version 4 
  server us.pool.ntp.org 
    vpn 512 
    version 4 
  exit 
  ! 
! 
Note

The passwords above are in plain text. When using a CLI template, you can encrypt passwords.