Configuring NTP

This chapter contains the following sections:

Information About NTP

Information About the NTP Server

The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients so that you can correlate events when you receive system logs and other time-specific events from multiple network devices. NTP uses the User Datagram Protocol (UDP) as its transport protocol.

All NTP communications use Coordinated Universal Time (UTC).

An NTP server usually receives its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server, and then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each other.

NTP uses a stratum to describe the distance between a network device and an authoritative time source:

  • A stratum 1 time server is directly attached to an authoritative time source (such as a radio or atomic clock or a GPS time source).

  • A stratum 2 NTP server receives its time through NTP from a stratum 1 time server.

Before synchronizing, NTP compares the time reported by several network devices and does not synchronize with one that is significantly different, even if it is a stratum 1. Because Cisco NX-OS cannot connect to a radio or atomic clock and act as a stratum 1 server, we recommend that you use the public NTP servers available on the Internet. If the network is isolated from the Internet, Cisco NX-OS allows you to configure the time as though it were synchronized through NTP, even though it was not.


Note

You can create NTP peer relationships to designate the time-serving hosts that you want your network device to consider synchronizing with and to keep accurate time if a server failure occurs.

The time kept on a device is a critical resource, so we strongly recommend that you use the security features of NTP to avoid the accidental or malicious setting of incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.

NTP as Time Server

Other devices can configure it as a time server. You can also configure the device to act as an authoritative NTP server, enabling it to distribute time even when it is not synchronized to an outside time source.

Distributing NTP Using CFS

Cisco Fabric Services (CFS) distributes the local NTP configuration to all Cisco devices in the network.

After enabling CFS on your device, a network-wide lock is applied to NTP whenever an NTP configuration is started. After making the NTP configuration changes, you can discard or commit them.

In either case, the CFS lock is then released from the NTP application.

Clock Manager

Clocks are resources that need to be shared across different processes.

Multiple time synchronization protocols, such as NTP and Precision Time Protocol (PTP), might be running in the system.

High Availability

Stateless restarts are supported for NTP. After a reboot or a supervisor switchover, the running configuration is applied.

You can configure NTP peers to provide redundancy in case an NTP server fails.

Licensing Requirements

Product License Requirement
Cisco NX-OS

NTP requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Prerequisites for NTP

NTP has the following prerequisites:

  • To configure NTP, you must have connectivity to at least one server that is running NTP.

Guidelines and Limitations for NTP

NTP has the following configuration guidelines and limitations:

  • NTP server functionality is supported.

  • You should have a peer association with another device only when you are sure that your clock is reliable (which means that you are a client of a reliable NTP server).

  • A peer configured alone takes on the role of a server and should be used as a backup. If you have two servers, you can configure several devices to point to one server and the remaining devices to point to the other server. You can then configure a peer association between these two servers to create a more reliable NTP configuration.

  • If you have only one server, you should configure all the devices as clients to that server.

  • You can configure up to 64 NTP entities (servers and peers).

  • If CFS is disabled for NTP, NTP does not distribute any configuration and does not accept a distribution from other devices in the network.

  • After CFS distribution is enabled for NTP, the entry of an NTP configuration command locks the network for NTP configuration until a commit command is entered. During the lock, no changes can be made to the NTP configuration by any other device in the network except the device that initiated the lock.

  • If you use CFS to distribute NTP, all devices in the network should have the same VRFs configured as you use for NTP.

  • If you configure NTP in a VRF, ensure that the NTP server and peers can reach each other through the configured VRFs.

  • You must manually distribute NTP authentication keys on the NTP server and Cisco NX-OS devices across the network.

  • Use NTP broadcast or multicast associations when time accuracy and reliability requirements are modest, your network is localized, and the network has more than 20 clients. We recommend that you use NTP broadcast or multicast associations in networks that have limited bandwidth, system memory, or CPU resources.


Note

Time accuracy is marginally reduced in NTP broadcast associations because information flows only one way.

Default Settings for NTP

The following table lists the default settings for NTP parameters:

Table 1 Default NTP Parameters
Parameters Default

NTP

Enabled

NTP authentication

Disabled

NTP access

Enabled

NTP logging

Disabled

Configuring NTP

Enabling or Disabling NTP

Before You Begin

Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command.

SUMMARY STEPS

    1.    switch# configure terminal

    2.    switch(config)# [no] feature ntp

    3.    (Optional) switch(config)# show ntp status

    4.    (Optional) switch(config)# copy running-config startup-config


DETAILED STEPS
     Command or ActionPurpose
    Step 1switch# configure terminal  

    Enters global configuration mode.

     
    Step 2switch(config)# [no] feature ntp 

    Enables or disables NTP in VDC. NTP is enabled by default.

    Note   

    NTP is enabled or disabled using the [no] ntp enable command.

     
    Step 3switch(config)# show ntp status  (Optional)

    Displays the status of the NTP application.

     
    Step 4switch(config)# copy running-config startup-config   (Optional)

    Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

     

    This example shows how to disable NTP:

    switch# configure terminal
switch(config)# no feature ntp

    Configuring the Device as an Authoritative NTP Server

    You can configure the device to act as an authoritative NTP server, enabling it to distribute time even when it is not synchronized to an existing time server.

    SUMMARY STEPS

      1.    switch# configure terminal

      2.    [no] ntp master [stratum]

      3.    (Optional) show running-config ntp

      4.    (Optional) switch(config)# copy running-config startup-config


    DETAILED STEPS
       Command or ActionPurpose
      Step 1switch# configure terminal  

      Enters global configuration mode.

       
      Step 2[no] ntp master [stratum]
       

      Configures the device as an authoritative NTP server.

      You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.

       
      Step 3show running-config ntp
              		(Optional)

      Displays the NTP configuration.

       
      Step 4switch(config)# copy running-config startup-config   (Optional)

      Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

       

      This example shows how to configure the Cisco NX-OS device as an authoritative NTP server with a different stratum level:

      switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# ntp master 5

      Configuring an NTP Server and Peer

      You can configure an NTP server and peer.

      Before You Begin

      Make sure that you know the IP address or DNS names of your NTP server and its peers.

      SUMMARY STEPS

        1.    switch# configure terminal

        2.    (Optional) switch(config)# show ntp peers

        3.    (Optional) switch(config)# copy running-config startup-config


      DETAILED STEPS
         Command or ActionPurpose
        Step 1switch# configure terminal  

        Enters global configuration mode.

         
        Step 2switch(config)# show ntp peers  (Optional)

        Displays the configured server and peers.

        Note   

        A domain name is resolved only when you have a DNS server configured.

         
        Step 3switch(config)# copy running-config startup-config   (Optional)

        Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

         

        Configuring NTP Authentication

        You can configure the device to authenticate the time sources to which the local clock is synchronized. When you enable NTP authentication, the device synchronizes to a time source only if the source carries one of the authentication keys specified by the ntp trusted-key command. The device drops any packets that fail the authentication check and prevents them from updating the local clock. NTP authentication is disabled by default.

        Before You Begin

        Make sure that you configured the NTP server with the authentication keys that you plan to specify in this procedure.

        SUMMARY STEPS

          1.    switch# configure terminal

          2.    switch(config)# [no] ntp authentication-key number md5 md5-string

          3.    (Optional) switch(config)# show ntp authentication-keys

          4.    switch(config)# [no] ntp trusted-key number

          5.    (Optional) switch(config)# show ntp trusted-keys

          6.    switch(config)# [no] ntp authenticate

          7.    (Optional) switch(config)# show ntp authentication-status

          8.    (Optional) switch(config)# copy running-config startup-config


        DETAILED STEPS
           Command or ActionPurpose
          Step 1switch# configure terminal  

          Enters global configuration mode.

           
          Step 2switch(config)# [no] ntp authentication-key number md5 md5-string 

          Defines the authentication keys. The device does not synchronize to a time source unless the source has one of these authentication keys and the key number is specified by the ntp trusted-key number command.

           
          Step 3switch(config)# show ntp authentication-keys  (Optional)

          Displays the configured NTP authentication keys.

           
          Step 4switch(config)# [no] ntp trusted-key number 

          Specifies one or more keys (defined in Step 2) that a time source must provide in its NTP packets in order for the device to synchronize to it. The range for trusted keys is from 1 to 65535.

          This command provides protection against accidentally synchronizing the device to a time source that is not trusted.

           
          Step 5switch(config)# show ntp trusted-keys  (Optional)

          Displays the configured NTP trusted keys.

           
          Step 6switch(config)# [no] ntp authenticate 

          Enables or disables the NTP authentication feature. NTP authentication is disabled by default.

           
          Step 7switch(config)# show ntp authentication-status  (Optional)

          Displays the status of NTP authentication.

           
          Step 8switch(config)# copy running-config startup-config   (Optional)

          Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

           

          This example shows how to configure the device to synchronize only to time sources that provide authentication key 42 in their NTP packets:

          switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# ntp authentication-key 42 md5 aNiceKey
switch(config)# ntp trusted-key 42
switch(config)# ntp authenticate
switch(config)# copy running-config startup-config
[########################################] 100%
switch(config)#

          Configuring NTP Access Restrictions

          You can control access to NTP services by using access groups. Specifically, you can specify the types of requests that the device allows and the servers from which it accepts responses.

          If you do not configure any access groups, NTP access is granted to all devices. If you configure any access groups, NTP access is granted only to the remote device whose source IP address passes the access list criteria.

          SUMMARY STEPS

            1.    switch# configure terminal

            2.    switch(config)# [no] ntp access-group {peer | serve | serve-only | query-only} access-list-name

            3.    switch(config)# show ntp access-groups

            4.    (Optional) switch(config)# copy running-config startup-config


          DETAILED STEPS
             Command or ActionPurpose
            Step 1switch# configure terminal  

            Enters global configuration mode.

             
            Step 2switch(config)# [no] ntp access-group {peer | serve | serve-only | query-only} access-list-name 

            Creates or removes an access group to control NTP access and applies a basic IP access list.

            The access group options are scanned in the following order, from least restrictive to most restrictive. However, if NTP matches a deny ACL rule in a configured peer, ACL processing stops and does not continue to the next access group option.

            • The peer keyword enables the device to receive time requests and NTP control queries and to synchronize itself to the servers specified in the access list.

            • The serve keyword enables the device to receive time requests and NTP control queries from the servers specified in the access list but not to synchronize itself to the specified servers.

            • The serve-only keyword enables the device to receive only time requests from servers specified in the access list.

            • The query-only keyword enables the device to receive only NTP control queries from the servers specified in the access list.

             
            Step 3switch(config)# show ntp access-groups 

            (Optional) Displays the NTP access group configuration.

             
            Step 4switch(config)# copy running-config startup-config   (Optional)

            Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

             

            This example shows how to configure the device to allow it to synchronize to a peer from access group "accesslist1": 

            switch# configure terminal
switch(config)# ntp access-group peer accesslist1
switch(config)# show ntp access-groups
Access List Type
-----------------------------
accesslist1 Peer
switch(config)# copy running-config startup-config
[########################################] 100%
switch(config)#

            Configuring the NTP Source IP Address

            NTP sets the source IP address for all NTP packets based on the address of the interface through which the NTP packets are sent. You can configure NTP to use a specific source IP address.

            SUMMARY STEPS

              1.    switch# configure terminal

              2.    [no] ntp source ip-address


            DETAILED STEPS
               Command or ActionPurpose
              Step 1switch# configure terminal  

              Enters global configuration mode.

               
              Step 2[no] ntp source ip-address
               

              Configures the source IP address for all NTP packets. The ip-address can be in IPv4 or IPv6 format.

               

              This example shows how to configure an NTP source IP address of 192.0.2.2.

              switch# configure terminal
switch(config)# ntp source 192.0.2.2

              Configuring the NTP Source Interface

              You can configure NTP to use a specific interface.

              SUMMARY STEPS

                1.    switch# configure terminal

                2.    [no] ntp source-interface interface


              DETAILED STEPS
                 Command or ActionPurpose
                Step 1switch# configure terminal  

                Enters global configuration mode.

                 
                Step 2[no] ntp source-interface interface
                 

                Configures the source interface for all NTP packets. The following list contains the valid values for interface.

                • ethernet

                • loopback

                • mgmt

                • port-channel

                • vlan

                 

                This example shows how to configure the NTP source interface:

                switch# configure terminal
switch(config)# ntp source-interface ethernet

                Configuring NTP Logging

                You can configure NTP logging in order to generate system logs with significant NTP events. NTP logging is disabled by default.

                SUMMARY STEPS

                  1.    switch# configure terminal

                  2.    switch(config)# [no] ntp logging

                  3.    (Optional) switch(config)# show ntp logging-status

                  4.    (Optional) switch(config)# copy running-config startup-config


                DETAILED STEPS
                   Command or ActionPurpose
                  Step 1switch# configure terminal  

                  Enters global configuration mode.

                   
                  Step 2switch(config)# [no] ntp logging  

                  Enables or disables system logs to be generated with significant NTP events. NTP logging is disabled by default.

                   
                  Step 3switch(config)# show ntp logging-status   (Optional)

                  Displays the NTP logging configuration status.

                   
                  Step 4switch(config)# copy running-config startup-config   (Optional)

                  Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

                   

                  The following example shows how to enable NTP logging in order to generate system logs with significant NTP events: 

                  switch# configure terminal
switch(config)# ntp logging
switch(config)# copy running-config startup-config
[########################################] 100%
switch(config)#

                  Enabling CFS Distribution for NTP

                  You can enable CFS distribution for NTP in order to distribute the NTP configuration to other CFS-enabled devices.

                  Before You Begin

                  Make sure that you have enabled CFS distribution for the device.

                  SUMMARY STEPS

                    1.    switch# configure terminal

                    2.    switch(config)# [no] ntp distribute

                    3.    (Optional) switch(config)# show ntp status

                    4.    (Optional) switch(config)# copy running-config startup-config


                  DETAILED STEPS
                     Command or ActionPurpose
                    Step 1switch# configure terminal  

                    Enters global configuration mode.

                     
                    Step 2switch(config)# [no] ntp distribute  

                    Enables or disables the device to receive NTP configuration updates that are distributed through CFS.

                     
                    Step 3switch(config)# show ntp status   (Optional)

                    Displays the NTP CFS distribution status.

                     
                    Step 4switch(config)# copy running-config startup-config   (Optional)

                    Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

                     

                    This example shows how to enable the device to receive NTP configuration updates through CFS: 

                    switch# configure terminal
switch(config)# ntp distribute
switch(config)# copy running-config startup-config

                    Committing NTP Configuration Changes

                    When you commit the NTP configuration changes, the effective database is overwritten by the configuration changes in the pending database and all the devices in the network receive the same configuration.

                    SUMMARY STEPS

                      1.    switch# configure terminal

                      2.    switch(config)# ntp commit


                    DETAILED STEPS
                       Command or ActionPurpose
                      Step 1switch# configure terminal  

                      Enters global configuration mode.

                       
                      Step 2switch(config)# ntp commit 

                      Distributes the NTP configuration changes to all Cisco NX-OS devices in the network and releases the CFS lock. This command overwrites the effective database with the changes made to the pending database.

                       

                      Discarding NTP Configuration Changes

                      After making the configuration changes, you can choose to discard the changes instead of committing them. If you discard the changes, Cisco NX-OS removes the pending database changes and releases the CFS lock.

                      SUMMARY STEPS

                        1.    switch# configure terminal

                        2.    switch(config)# ntp abort


                      DETAILED STEPS
                         Command or ActionPurpose
                        Step 1switch# configure terminal  

                        Enters global configuration mode.

                         
                        Step 2switch(config)# ntp abort 

                        Discards the NTP configuration changes in the pending database and releases the CFS lock. Use this command on the device where you started the NTP configuration.

                         

                        Releasing the CFS Session Lock

                        If you have performed an NTP configuration and have forgotten to release the lock by either committing or discarding the changes, you or another administrator can release the lock from any device in the network. This action also discards pending database changes.

                        SUMMARY STEPS

                          1.    switch# configure terminal

                          2.    switch(config)# clear ntp session


                        DETAILED STEPS
                           Command or ActionPurpose
                          Step 1switch# configure terminal  

                          Enters global configuration mode.

                           
                          Step 2switch(config)# clear ntp session 

                          Discards the NTP configuration changes in the pending database and releases the CFS lock.

                           

                          Verifying the NTP Configuration

                          Command Purpose

                          show ntp access-groups

                          Displays the NTP access group configuration.

                          show ntp authentication-keys

                          Displays the configured NTP authentication keys.

                          show ntp authentication-status

                          Displays the status of NTP authentication.

                          show ntp internal

                          Displays internal NTP information.

                          show ntp logging-status

                          Displays the NTP logging status.

                          show ntp peer-status

                          Displays the status for all NTP servers and peers.

                          show ntp peer

                          Displays all the NTP peers.

                          show ntp pending

                          Displays the temporary CFS database for NTP.

                          show ntp pending-diff

                          Displays the difference between the pending CFS database and the current NTP configuration.

                          show ntp rts-update

                          Displays the RTS update status.

                          show ntp session status

                          Displays the NTP CFS distribution session information.

                          show ntp source

                          Displays the configured NTP source IP address.

                          show ntp source-interface

                          Displays the configured NTP source interface.

                          show ntp statistics {io | local | memory | peer {ipaddr {ipv4-addr} | name peer-name}}

                          Displays the NTP statistics.

                          show ntp status

                          Displays the NTP CFS distribution status.

                          show ntp trusted-keys

                          Displays the configured NTP trusted keys.

                          show running-config ntp

                          Displays NTP information.

                          Configuration Examples for NTP

                          Configuration Examples for NTP

                          This example shows how to configure an NTP server and peer, enable NTP authentication, enable NTP logging, and then save the startup configuration so that it is saved across reboots and restarts:

                          switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# ntp server 192.0.2.105 key 42
switch(config)# ntp peer 192.0.2.105
switch(config)# show ntp peers
--------------------------------------------------
Peer IP Address Serv/Peer
--------------------------------------------------
192.0.2.100 Peer (configured)
192.0.2.105 Server (configured)
switch(config)# ntp authentication-key 42 md5 aNiceKey
switch(config)# show ntp authentication-keys
-----------------------------
Auth key MD5 String
-----------------------------
42 aNicekey
switch(config)# ntp trusted-key 42
switch(config)# show ntp trusted-keys
Trusted Keys:
42
switch(config)# ntp authenticate
switch(config)# show ntp authentication-status
Authentication enabled.
switch(config)# ntp logging
switch(config)# show ntp logging
NTP logging enabled.
switch(config)# copy running-config startup-config
[########################################] 100%
switch(config)#

                          This example shows an NTP access group configuration with the following restrictions:

                          • Peer restrictions are applied to IP addresses that pass the criteria of the access list named “peer-acl.”

                          • Serve restrictions are applied to IP addresses that pass the criteria of the access list named “serve-acl.”

                          • Serve-only restrictions are applied to IP addresses that pass the criteria of the access list named “serve-only-acl.”

                          • Query-only restrictions are applied to IP addresses that pass the criteria of the access list named “query-only-acl.”

                          switch# configure terminal
switch(config)# ntp peer 10.1.1.1
switch(config)# ntp peer 10.2.2.2
switch(config)# ntp peer 10.3.3.3
switch(config)# ntp peer 10.4.4.4
switch(config)# ntp peer 10.5.5.5
switch(config)# ntp peer 10.6.6.6
switch(config)# ntp peer 10.7.7.7
switch(config)# ntp peer 10.8.8.8
switch(config)# ntp access-group peer peer-acl
switch(config)# ntp access-group serve serve-acl
switch(config)# ntp access-group serve-only serve-only-acl
switch(config)# ntp access-group query-only query-only-acl
switch(config)# ip access-list peer-acl
switch(config-acl)# 10 permit ip host 10.1.1.1 any
switch(config-acl)# 20 permit ip host 10.8.8.8 any
switch(config)# ip access-list serve-acl
switch(config-acl)# 10 permit ip host 10.4.4.4 any
switch(config-acl)# 20 permit ip host 10.5.5.5 any
switch(config)# ip access-list serve-only-acl
switch(config-acl)# 10 permit ip host 10.6.6.6 any
switch(config-acl)# 20 permit ip host 10.7.7.7 any
switch(config)# ip access-list query-only-acl
switch(config-acl)# 10 permit ip host 10.2.2.2 any
switch(config-acl)# 20 permit ip host 10.3.3.3 any