This chapter describes how to configure the Network Time Protocol (NTP) on Cisco NX-OS devices.
This chapter includes the following sections:
About NTP
The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients so that you can correlate events when you receive system logs and other time-specific events from multiple network devices. NTP uses the User Datagram Protocol (UDP) as its transport protocol. All NTP communications use Coordinated Universal Time (UTC).
An NTP server usually receives its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server, and then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each other.
NTP uses a stratum to describe the distance between a network device and an authoritative time source:
- A stratum 1 time server is directly attached to an authoritative time source (such as a radio or atomic clock or a GPS time source).
- A stratum 2 NTP server receives its time through NTP from a stratum 1 time server.
Before synchronizing, NTP compares the time reported by several network devices and does not synchronize with one that is significantly different, even if it is a stratum 1. Because Cisco NX-OS cannot connect to a radio or atomic clock and act as a stratum 1 server, we recommend that you use the public NTP servers available on the Internet. If the network is isolated from the Internet, Cisco NX-OS allows you to configure the time as though it were synchronized through NTP, even though it was not.
![Cisco Nexus 9000 Series NX-OS System Management Configuration Guide, Release 9.3(x) - Configuring NTP [Cisco Nexus 9000 Series Switches] (1)](https://i0.wp.com/www.cisco.com/content/dam/en/us/td/i/templates/note.gif "Cisco Nexus 9000 Series NX-OS System Management Configuration Guide, Release 9.3(x) - Configuring NTP [Cisco Nexus 9000 Series Switches] (1)") Note | You can create NTP peer relationships to designate the time-serving hosts that you want your network device to consider synchronizing with and to keep accurate time if a server failure occurs. |
The time kept on a device is a critical resource, so we strongly recommend that you use the security features of NTP to avoid the accidental or malicious setting of incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.
NTP Associations
An NTP association can be one of the following:
-
A peer association—The device can either synchronize to another device or allow another device to synchronize to it.
-
A server association—The device synchronizes to a server.
You need to configure only one end of an association. The other device can automatically establish the association.
NTP as a Time Server
The Cisco NX-OS device can use NTP to distribute time. Other devices can configure it as a time server. You can also configure the device to act as an authoritative NTP server, enabling it to distribute time even when it is not synchronized to an outside time source.
Clock Manager
Clocks are resources that need to be shared across different processes. Multiple time synchronization protocols, such as NTP, might be running in the system.
The clock manager allows you to specify the protocol to control the various clocks in the system. Once you specify the protocol, the system clock starts updating. For information on configuring the clock manager, see the Cisco Nexus 9000 Series NX-OS Fundamentals Configuration Guide.
High Availability
Stateless restarts are supported for NTP. After a reboot or a supervisor switchover, the running configuration is applied. For more information on high availability, see the Cisco Nexus 9000 Series NX-OS High Availability and Redundancy Guide.
You can configure NTP peers to provide redundancy in case an NTP server fails.
Virtualization Support
NTP recognizes virtual routing and forwarding (VRF) instances. NTP uses the default VRF if you do not configure a specific VRF for the NTP server and NTP peer. See the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide for more information about VRFs.
Prerequisites for NTP
NTP has the following prerequisites:
-
To configure NTP, you must have connectivity to at least one server that is running NTP.
Guidelines and Limitations for NTP
NTP has the following configuration guidelines and limitations:
-
NTP server functionality is supported.
-
Before configuring a name based NTP server (FQDN) in a non-default VRF, you must configure a DNS server under that specific VRF. If you configure the DNS server from the global configuration mode using use-vrf option, then that name based NTP server configuration will not be added to the running configuration. If you attempted to configure NTP server using this method, you must remove the NTP configuration using the no version of the command, add the DNS server under that VRF, and then add name based NTP server to the VRF.
-
We recommend that you configure a peer association with another device only when you are sure that your clock is reliable (which means that you are a client of a reliable NTP server).
-
A peer that is configured alone takes on the role of a server and should be used as a backup. If you have two servers, you can configure several devices to point to one server and the remaining devices to point to the other server. You can then configure a peer association between these two servers to create a more reliable NTP configuration.
-
If you have only one server, we recommend that you configure all the devices as clients to that server.
-
You can configure up to 64 NTP entities (servers and peers).
(Video) Cisco Nexus 9000 - Initial Configuration -
If you configure NTP in a VRF, ensure that the NTP server and peers can reach each other through the configured VRFs.
-
Manually distribute NTP authentication keys on the NTP server and Cisco NX-OS devices across the network.
-
If you are using the switch as an edge device and want to use NTP, we recommend using the ntp access-group command and filtering NTP only to the required edge devices.
-
If the system has been configured with the ntp passive , ntp broadcast client , or ntp multicast client commands, when NTP receives an incoming symmetric active, broadcast, or multicast packet, it can set up an ephemeral peer association in order to synchronize with the sender.
![Cisco Nexus 9000 Series NX-OS System Management Configuration Guide, Release 9.3(x) - Configuring NTP [Cisco Nexus 9000 Series Switches] (2)](data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== "Cisco Nexus 9000 Series NX-OS System Management Configuration Guide, Release 9.3(x) - Configuring NTP [Cisco Nexus 9000 Series Switches] (2)")
NoteMake sure that you specify ntp authenticate before enabling any of the preceding commands. Failure to do so will allow your device to synchronize with any device that sends one of the preceding packet types, including malicious attacker-controlled devices. -
If you specify the ntp authenticate command, when a symmetric active, broadcast, or multicast packet is received, the system does not synchronize to the peer unless the packet carries one of the authentication keys that are specified in the ntp trusted-key global configuration command.
-
To prevent synchronization with unauthorized network hosts, the ntp authenticate command should be specified any time the ntp passive , ntp broadcast client , or ntp multicast client command has been specified unless other measures, such as the ntp access-group command, have been taken to prevent unauthorized hosts from communicating with the NTP service on the device.
-
The ntp authenticate command does not authenticate peer associations that are configured via the ntp server and ntp peer configuration commands. To authenticate the ntp server and ntp peer associations, specify the key keyword.
-
A maximum of four IP ACLs can be configured for a single NTP access group. IPv4 and IPv6 ACLs are supported.
Default Settings for NTP
The following table lists the default settings for NTP parameters.
| Parameters | Default |
|---|---|
| NTP | Enabled |
| NTP authentication | Disabled |
| NTP access | Enabled |
| NTP access group match all | Disabled |
| NTP logging | Disabled |
Configuring NTP
Note | Be aware that the Cisco NX-OS commands for this feature may differ from those commands used in Cisco IOS. |
Enabling or Disabling NTP
You can enable or disable NTP. NTP is enabled by default.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | [no] feature ntp Example: | Enables or disables NTP. |
| Step3 | (Optional) copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring the Device as an Authoritative NTP Server
You can configure the device to act as an authoritative NTP server, enabling it to distribute time even when it is not synchronized to an existing time server.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | [no] ntp master [stratum] Example: | Configures the device as an authoritative NTP server. You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15. |
| Step3 | (Optional) show running-config ntp Example: | (Optional) Displays the NTP configuration. |
| Step4 | (Optional) copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring an NTP Server and Peer
You can configure an NTP server and peer.
Before you begin
Make sure you know the IP address or Domain Name System (DNS) names of your NTP server and its peers.
Procedure
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. | ||
| Step2 | [no] ntp server {ip-address | ipv6-address | dns-name} [key key-id] [maxpoll max-poll] [minpoll min-poll] [prefer] [use-vrf vrf-name] Example: | Forms an association with a server. Use the key keyword to configure a key to be used while communicating with the NTP server. The range for the key-id argument is from 1 to 65535. Use the maxpoll and minpoll keywords to configure the maximum and minimum intervals in which to poll a server. The range for the max-poll and min-poll arguments is from 4 to 16 (configured as powers of 2, so effectively 16 to 65536 seconds), and the default values are 6 and 4, respectively (maxpoll default = 64 seconds, minpoll default = 16 seconds). Use the prefer keyword to make this server the preferred NTP server for the device. Use the use-vrf keyword to configure the NTP server to communicate over the specified VRF. The vrf-name argument can be default , management , or any case-sensitive, alphanumeric string up to 32 characters.
| ||
| Step3 | [no] ntp peer {ip-address | ipv6-address | dns-name} [key key-id] [maxpoll max-poll] [minpoll min-poll] [prefer] [use-vrf vrf-name] Example: | Forms an association with a peer. You can specify multiple peer associations. Use the key keyword to configure a key to be used while communicating with the NTP peer. The range for the key-id argument is from 1 to 65535. Use the maxpoll and minpoll keywords to configure the maximum and minimum intervals in which to poll a server. The range for the max-poll and min-poll arguments is from 4 to 17 (configured as powers of 2, so effectively 16 to 131072 seconds), and the default values are 6 and 4, respectively (maxpoll default = 64 seconds, minpoll default = 16 seconds). Use the prefer keyword to make this peer the preferred NTP peer for the device. Use the use-vrf keyword to configure the NTP peer to communicate over the specified VRF. The vrf-name argument can be default , management , or any case-sensitive, alphanumeric string up to 32 characters. | ||
| Step4 | (Optional) show ntp peers Example: | (Optional) Displays the configured server and peers.
| ||
| Step5 | (Optional) copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring NTP Authentication
You can configure the device to authenticate the time sources to which the local clock is synchronized. When you enable NTP authentication, the device synchronizes to a time source only if the source carries one of the authentication keys specified by the ntp trusted-key command. The device drops any packets that fail the authentication check and prevents them from updating the local clock. NTP authentication is disabled by default.
Before you begin
Make sure that you configured the NTP server with the authentication keys that you plan to specify in this procedure.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | [no] ntp authentication-key number md5 md5-string Example: | Defines the authentication keys. The device does not synchronize to a time source unless the source has one of these authentication keys and the key number is specified by the ntp trusted-key number command. The range for authentication keys is from 1 to 65535. For the MD5 string, you can enter up to 15 alphanumeric characters. |
| Step3 | ntp server ip-address key key-id Example: | Forms an association with a server. Use the key keyword to configure a key to be used while communicating with the NTP server. The range for the key-id argument is from 1 to 65535. To require authentication, the key keyword must be used. Any ntp server or ntp peer commands that do not specify the key keyword will continue to operate without authentication. |
| Step4 | (Optional) show ntp authentication-keys Example: | (Optional) Displays the configured NTP authentication keys. |
| Step5 | [no] ntp trusted-key number Example: | Specifies one or more keys (defined in Step 2) that an unconfigured remote symmetric, broadcast, and multicast time source must provide in its NTP packets in order for the device to synchronize to it. The range for trusted keys is from 1 to 65535. This command provides protection against accidentally synchronizing the device to a time source that is not trusted. |
| Step6 | (Optional) show ntp trusted-keys Example: | (Optional) Displays the configured NTP trusted keys. |
| Step7 | [no] ntp authenticate Example: | Enables or disables authentication for ntp passive, ntp broadcast client, and ntp multicast. NTP authentication is disabled by default. |
| Step8 | (Optional) show ntp authentication-status Example: | (Optional) Displays the status of NTP authentication. |
| Step9 | (Optional) copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring NTP Access Restrictions
You can control access to NTP services by using access groups. Specifically, you can specify the types of requests that the device allows and the servers from which it accepts responses.
If you do not configure any access groups, NTP access is granted to all devices. If you configure any access groups, NTP access is granted only to the remote device whose source IP address passes the access list criteria.
Beginning with Cisco NX-OS Release 7.0(3)I7(3), access groups are evaluated in the following method:
-
Without the match-all keyword, the packet gets evaluated against the access groups (in the order mentioned below) until it finds a permit. If a permit is not found, the packet is dropped.
-
With match-all keyword, the packet gets evaluated against all the access groups (in the order mentioned below) and the action is taken based on the last successful evaluation (the last access group where an ACL is configured).
The mapping of the access group to the type of packet is as follows:
-
peer—process client, symmetric active, symmetric passive, serve, control, and private packets(all types)
-
serve—process client, control, and private packets
-
serve-only—process client packets only
-
query-only—process control and private packets only
The access groups are evaluated in the following order:
-
peer (all packet types)
-
serve (client, control, and private packets)
-
serve-only (client packets) or query-only (control and private packets)
ACL processing of serve-only or query-only depends on the NTP packet type.
Procedure
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. | ||
| Step2 | [no] ntp access-group match-all | {{peer | serve | serve-only | query-only }access-list-name} Example: | Creates or removes an access group to control NTP access and applies a basic IP access list. ACL processing stops and does not continue to the next access group option if NTP matches a deny ACL rule in a configured peer.
| ||
| Step3 | (Optional) show ntp access-groups Example: | (Optional) Displays the NTP access group configuration. | ||
| Step4 | (Optional) copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring the NTP Source IP Address
NTP sets the source IP address for all NTP packets based on the address of the interface through which the NTP packets are sent. You can configure NTP to use a specific source IP address.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | [no] ntp source ip-address Example: | Configures the source IP address for all NTP packets. The ip-address can be in IPv4 or IPv6 format. |
| Step3 | (Optional) copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring the NTP Source Interface
You can configure NTP to use a specific interface.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | [no] ntp source-interface interface Example: | Configures the source interface for all NTP packets. Use the ? keyword to display a list of supported interfaces. |
| Step3 | (Optional) copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring NTP Logging
You can configure NTP logging in order to generate system logs with significant NTP events. NTP logging is disabled by default.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | [no] ntp logging Example: | Enables or disables system logs to be generated with significant NTP events. NTP logging is disabled by default. |
| Step3 | (Optional) show ntp logging-status Example: | (Optional) Displays the NTP logging configuration status. |
| Step4 | (Optional) copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Verifying the NTP Configuration
To display the NTP configuration, perform one of the following tasks:
| Command | Purpose |
|---|---|
| show ntp access-groups | Displays the NTP access group configuration. |
| show ntp authentication-keys | Displays the configured NTP authentication keys. |
| show ntp authentication-status | Displays the status of NTP authentication. |
| show ntp logging-status | Displays the NTP logging status. |
| show ntp peer-status | Displays the status for all NTP servers and peers. |
| show ntp peers | Displays all the NTP peers. |
| show ntp rts-update | Displays the RTS update status. |
| show ntp source | Displays the configured NTP source IP address. |
| show ntp source-interface | Displays the configured NTP source interface. |
| show ntp statistics {io | local | memory | peer {ipaddr {ipv4-addr | ipv6-addr} | name peer-name}} | Displays the NTP statistics. |
| show ntp trusted-keys | Displays the configured NTP trusted keys. |
| show running-config ntp | Displays NTP information. |
Use the clear ntp session command to clear the NTP sessions.
Use the clear ntp statistics command to clear the NTP statistics.
Configuration Examples for NTP
This example shows how to configure the device to synchronize only to time sources that provide authentication key 42 in their NTP packets:
switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.switch(config)# ntp authentication-key 42 md5 aNiceKeyswitch(config)# ntp server 192.0.2.105 key 42switch(config)# ntp trusted-key 42switch(config)# ntp authenticateswitch(config)# copy running-config startup-config[########################################] 100%switch(config)#This example shows an NTP access group configuration with the following restrictions:
-
Peer restrictions are applied to IP addresses that pass the criteria of the access list named “peer-acl.”
(Video) 03 Instalacion y actualizacion de Cisco Nexus NX-OS (Upgrade) -
Serve restrictions are applied to IP addresses that pass the criteria of the access list named “serve-acl.”
-
Serve-only restrictions are applied to IP addresses that pass the criteria of the access list named “serve-only-acl.”
-
Query-only restrictions are applied to IP addresses that pass the criteria of the access list named “query-only-acl.”
switch# configure terminalswitch(config)# ntp peer 10.1.1.1switch(config)# ntp peer 10.2.2.2switch(config)# ntp peer 10.3.3.3switch(config)# ntp peer 10.4.4.4switch(config)# ntp peer 10.5.5.5switch(config)# ntp peer 10.6.6.6switch(config)# ntp peer 10.7.7.7switch(config)# ntp peer 10.8.8.8switch(config)# ntp access-group peer peer-aclswitch(config)# ntp access-group serve serve-aclswitch(config)# ntp access-group serve-only serve-only-aclswitch(config)# ntp access-group query-only query-only-aclswitch(config)# ip access-list peer-aclswitch(config-acl)# 10 permit ip host 10.1.1.1 anyswitch(config-acl)# 20 permit ip host 10.8.8.8 anyswitch(config)# ip access-list serve-aclswitch(config-acl)# 10 permit ip host 10.4.4.4 anyswitch(config-acl)# 20 permit ip host 10.5.5.5 anyswitch(config)# ip access-list serve-only-aclswitch(config-acl)# 10 permit ip host 10.6.6.6 anyswitch(config-acl)# 20 permit ip host 10.7.7.7 anyswitch(config)# ip access-list query-only-aclswitch(config-acl)# 10 permit ip host 10.2.2.2 anyswitch(config-acl)# 20 permit ip host 10.3.3.3 anyNote | When only a single ACL group is applied, then all the packets relevant for other ACL categories are denied and only packets relevant for the configured ACL group is processed, as mentioned in below scenarios:
If more than a single ACL is configured, it follows the order of processing as mentioned in below scenario:
|
Additional References
Related Documents
| Related Topic | Document Title |
|---|---|
| Clock manager | Cisco Nexus 9000 Series NX-OS Fundamentals Configuration Guide |
MIBs
| MIBs | MIBs Link |
|---|---|
| MIBs related to NTP | To locate and download supported MIBs, go to the following URL: ftp://ftp.cisco.com/pub/mibs/supportlists/nexus9000/Nexus9000MIBSupportList.html |
FAQs
What are 2 modes of operation in which Nexus 9000 Series switches can be configured in? ›
One mode of operation on the Nexus 9000 is enhanced NX-OS and it is pretty much like the equivalent of other Nexus series. This mode supports vast range of features like we all familiar with such as vPC, spanning-tree, routing protocols and etc. Another mode that Nexus 9k can operate on, is ACI mode.
How do I check my Nexus switch NTP status? ›To check the status of the NTP server or peer, use the command show ntp peer-status. The * beside the peer address indicates that the NTP has synchronized with the server.
Which three options are components of Cisco NX-OS? ›- Networking.
- Security.
- Software.
- Smart Building.
- Wireless and Mobility.
You can convert a Cisco Nexus 9000 Series switch from ACI boot mode back to Cisco NX-OS. Step 1 Reload the switch. Step 2 Enter a break sequence during the initial boot sequence to access the loader> prompt. Boot the active supervisor module with the Cisco NX-OS image.
Is Nexus 9k a router or switch? ›The Cisco Nexus 9000 Series Switch is a highly programmable and high density Ethernet switch that offers improved performance and greater cost efficiency.
What is the difference between NX-OS and IOS? ›Unlike Cisco IOS, NX-OS doesn't share a single memory space, and it does support symmetric multiprocessing. It also allows preemptive multitasking, which allows a high priority process to get CPU time ahead of a lower priority process.
Which NTP server is best for Cisco? ›Cisco recommends using a Linux based NTP server since it is more stable.
How do I know if my NTP server is reachable? ›- Click on the Windows button.
- In the "Search programs and files" box, type cmd and press Enter.
- If necessary, select cmd from the list of search results.
- In the command prompt window, enter w32tm /query /peers.
- Check that an entry is shown for each of the servers listed above.
...
exit status of ntpstat command
- If exit status 0 – Clock is synchronised.
- exit status 1 – Clock is not synchronised.
- exit status 2 – If clock state is indeterminant, for example if ntpd is not contactable.
- System Manager (sysmgr)
- Persistent Storage Service (PSS)
- Message & Transaction Services (MTS)
What are the main modes of operation for a router switch? ›
- Router (A) — main mode;
- Adapter (B) — connect Ethernet devices to a Wi-Fi network;
- Repeater/Extender (C) — Wi-Fi extension;
- Access point/Extender (D) — expansion of the Wi-Fi area with Ethernet connection.
- Connect the serial port to a host or serial port.
- Connect the management port (on the non-port side of the switch) to the same network where your SFTP server is located.
- At the console, set the host side serial settings: