Network Time Protocol (NTP)
Beginning with switch software release 16.01, the NTP Client feature is supported on the following switch models covered in this guide:
2530 (YA software)
2530 (YB software)
2620 (RA software)
2920 (WB software)
The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients in order to correlate events when receiving system logs and other time-specific events from multiple network devices. NTP uses the User Datagram Protocol (UDP) as its transport protocol.
All NTP communications use Coordinated Universal Time (UTC). An NTP server usually receives its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server, and then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each other.
NTP uses a stratum to describe the distance between a network device and an authoritative time source:
A stratum 1 time server is directly attached to an authoritative time source (such as a radio or atomic clock or a GPS time source).
A stratum 2 NTP server receives its time through NTP from a stratum 1 time server.
Before synchronizing, NTP compares the time reported by several network devices and does not synchronize with one that is significantly different, even if it is a stratum 1.
The security features of NTP can be used to avoid the accidental or malicious setting of incorrect time. One such mechanism is available: an encrypted authentication mechanism.
Though similar, the NTP algorithm is more complex and accurate than the Simple Network Time Protocol (SNTP).
IMPORTANT: Enabling this feature results in synchronizing the system clock; therefore, it may affect all sub-systems that rely on system time. | |
Commands
The following commands allow the user to configure NTP or show NTP configurations.
timesync
This command is used to configure the protocol used for network time synchronization.
Syntax
[no] timesync {
timep
| sntp
| timep-or-sntp
| ntp
}
Options
no
Deletes all timesync configurations on the device.
timep
Updates the system clock using TIMEP.
sntp
Updates the system clock using SNTP.
timep-or-sntp
Updates the system clock using TIMEP or SNTP (default).
ntp
Updates the system clock using NTP
Example
Switch(config)# timesync sntp Update the system clock using SNTP. timep Update the system clock using TIMEP. timep-or-sntp Update the system clock using TIMEP or SNTP. ntp Update the system clock using NTP.
timesync ntp
This command is used to update the system clock using NTP.
Syntax
timesync ntp
Description
Update the system clock using NTP.
ntp
This command selects the operating mode of the NTP client.
Syntax
ntp [broadcast|unicast]
Options
broadcast
Sets ntp server to operate in broadcast mode.
unicast
Sets ntp server to operate in unicast mode.
Usage
The default mode is broadcast.
[no] ntp
This command disables NTP and removes all NTP configurations on the device.
Syntax
[no] ntp [authentication<key-id>
| broadcast | enable | max-association<integer>
| server<IP-ADDR>
| trap<trap-name>
| unicast]
Description
Disable NTP and removes the entire NTP configuration.
Options
authentication | Configure NTP authentication. |
broadcast | Operate in broadcast mode. |
enable | Enable/disable NTP. |
max-association | Maximum number of Network Time Protocol (NTP) associations. |
server | Configure a NTP server to poll for time synchronization. |
trap | Enable/disable NTP traps. |
unicast | Operate in unicast mode. |
Example
switch(config)# no ntp This will delete all NTP configurations on this device. Continue [y/n]?
ntp enable
This command is used to enable or disable NTP on the switch.
Syntax
ntp enable
Example
switch(config)# ntp enable Enable/disable NTP.
Description
Enable or disable NTP. Use [no] to disable NTP.
Restrictions
Validation | Error/Warning/Prompt |
---|---|
If timeSync is in SNTP or Timep when NTP is enabled. | Timesync is not configured to NTP. |
When timesync is NTP and ntp is enabled and we try to change timesync to SNTP. | Disable NTP before
changing timesync to SNTP or TIMEP |
ntp authentication
This command is used for authentication of NTP server by the NTP client.
Syntax
ntp authentication key-id <KEY-ID>
[authentication-mode <MODE> key-value <KEY-STRING>] [trusted]
Parameters/Options
key-id <id>
Sets the key-id for the authentication key.
Subcommands
authentication-mode
Sets the NTP authentication mode
key-value <KEY-STRING>
Sets the key-value for the authentication key.
[trusted]
Sets the authentication key as trusted.
Example
Switch(config)# ntp Authentication Configure NTP authentication. Switch(config)# ntp authentication key-id Set the key-id for this authentication key. Switch(config)# ntp authentication key-id <1-4294967295> Set the authentication key-id. Switch(config)# ntp authentication key-id 1 authentication-mode Set the NTP authentication mode. trusted Set this authentication key as trusted. Switch(config)# ntp authentication key-id 1 authentication-mode|trusted md5 Authenticate using MD5. Switch(config)# ntp authentication key-id 1 authentication-mode|trusted md5key-value Set the NTP authentication key. Switch(config)# ntp authentication key-id 1 authentication-mode|trusted md5 key-value KEY Enter a string to be set as the NTP authentication key.
ntp authentication key-id
Syntax
ntp authentication key-id<key-id>
[authentication-mode [md5 | sha1] key-value<key-value>
] [trusted]
Description
The NTP client authenticates the NTP server.
Options
ntp max-association
This command is used to configure the maximum number of servers associated with this NTP client.
Syntax
ntp max-association
<number>
Options
max-association <
number
>
Sets the maximum number of NTP associations.
Description
Configure maximum number of servers associated with the client. Up to eight servers can be configured as the maximum.
Restrictions
The range for a maximum number of NTP associations is 1–8.
Example
Switch(config)# ntp max-associations Maximum number of NTP associations. Switch(config)# ntp max-associations <1-8> Enter the number.
Restrictions
Validation | Error/Warning/Prompt |
---|---|
When the number of configured NTP servers is more than the max-associations value. | The maximum number
of NTP servers allowed is <number>. |
When the max-associations value is less than the (n) number of configured NTP servers. | Max-associations
value cannot be less than the number of NTP servers configured. |
ntp server
This command is used to configure the NTP servers.
Syntax
[no] ntp server
ntp server <IP-ADDR|IPv6-ADDR>
[key <key-id>] [oobm] [max-poll <max-poll-val>][min-poll
<min-poll-val>][burst | iburst] [version <1-4>]
Parameters/Options
[no]
Removes the unicast NTP configurations on the device.
Subcommands
IP-ADDR
Sets the IPv4 address of the NTP server.
IPV6-ADDR
Sets the IPv6 address of the NTP server.
oobm
Specifies that the NTP Unicast server is accessible over an OOBM interface.
key <key-id>
Specifies the authentication key.
max-poll <max-poll-val>
Configures the maximum time intervals in power of 2 seconds. Range is 4–17 (e.g., 5 would translate to 2 raised to 5 or 32).
min-poll <min-poll-val>
Configures the minimum time intervals in seconds. Range is 4–17.
burst
Enables burst mode.
iburst
Enables initial burst mode.
version
Sets version 1–4.
Usage
A maximum of 8 NTP servers can be configured.
Example
Switch(config)# ntp server Allow the software clock to be synchronized by an NTP time server. broadcast Operate in broadcast mode. unicast Operate in unicast mode. Switch(config)# ntp server IP-ADDR IPv4 address of the NTP server. IPV6-ADDR IPv6 address of the NTP server. Switch(config)# ntp server <IP-ADDR> Key Specify the authentication key. Switch(config)# ntp server <IP-ADDR> key key-id Max-poll Configure the maximum time intervals in seconds. Switch(config)# ntp server <IP-ADDR> key key-id max-poll <4-17> Enter an integer number. Switch(config)# ntp server <IP-ADDR> key key-id Min-poll Configure the minimum time intervals in seconds. Switch(config)# ntp server <IP-ADDR> key key-id min-poll <4-17> Enter an integer number. Switch(config)# ntp server <IP-ADDR> key key-id prefer max-poll <max-poll-val> min-poll <min-poll-val> iburst Enable initial burst (iburst) mode. burst Enable burst mode. Switch(config)# ntp server IP-ADDR key key-id prefer maxpoll <number> minpoll <number> iburst
Restrictions
Validation | Error/Warning/Prompt |
---|---|
If authentication key-id not configured | Authentication
key-id has not been configured. |
If Key-id is not marked as trusted | Key-id
is not trusted. |
When min poll value is more than max poll value | NTP max poll value should be more than min poll value. |
ntp server key-id
Syntax
ntp server<IP-ADDR |IPV6-ADDR>
key—id<key-id>
[max-poll<max-poll-val>]
[min-poll<min-poll-val>
] [burst | iburst]
Description
Configure the NTP server. <IP-ADDR>
indicates
the IPv4 address of the NTP server. <IPV6-ADDR>
indicates
the IPv6 address of the NTP server.
Options
ntp ipv6-multicast
This command is used to configure NTP multicast on a VLAN interface.
Syntax
ntp ipv6-multicast
Description
Configure the interface to listen to the NTP multicast packets.
Example
Switch(vlan-2)# ntp ipv6-multicast Configure the interface to listen to the NTP multicast packets.
Restrictions
Validation | Error/Warning/Prompt |
---|---|
If ipv6 is not enabled on vlan interface | IPv6
address not configured on the VLAN. |
debug ntp
This command is used to display debug messages for NTP.
Syntax
debug ntp <event
|packet
>
Options
event
Displays event log messages related to NTP.
packets
Displays NTP packet messages.
Description
Enable debug logging. Use [no] to disable debug logging.
Example
Switch(config)# debug ntp event Display event log messages related to NTP. packet Display NTP packet messages.
ntp trap
This command is used to configure NTP traps.
Syntax
ntp trap <trap-name>
Description
Enable NTP traps. Use [no] to disable NTP traps.
Options
ntp-mode-change | Trap name resulting
in |
ntp-stratum-change | Trap name resulting
in |
ntp-peer-change | Trap name resulting
in |
ntp-new-association | Trap name resulting
in |
ntp-remove-association | Trap name resulting
in |
ntp-config-change | Trap name resulting
in |
ntp-leapsec-announced | Trap name resulting
in |
ntp-alive-heartbeat | Trap name resulting
in |
all | Enable all traps. |
Usage
The traps defined below are generated as the result of finding an unusual condition while parsing an NTP packet or a processing a timer event. Note that if more than one type of unusual condition is encountered while parsing the packet or processing an event, only the first one will generate a trap. Possible trap names are:
- 'ntpEntNotifModeChange' The notification
to be sent when the NTP entity changes mode, including starting and
stopping (if possible).
- 'ntpEntNotifStratumChange' The notification
to be sent when stratum level of NTP changes.
- 'ntpEntNotifSyspeerChanged' The notification
to be sent when a (new) syspeer has been selected.
- 'ntpEntNotifAddAssociation' The notification
to be sent when a new association is mobilized.
- 'ntpEntNotifRemoveAssociation' The
notification to be sent when an association is demobilized.
- 'ntpEntNotifConfigChanged' The notification
to be sent when the NTP configuration has changed.
- 'ntpEntNotifLeapSecondAnnounced' The
notification to be sent when a leap second has been announced.
- 'ntpEntNotifHeartbeat' The notification
to be sent periodically (as defined by ntpEntHeartbeatInterval) to
indicate that the NTP entity is still alive.
- 'ntpEntNotifAll' The notification
to be sent when all traps have been enabled
show ntp statistics
This command is used to show NTP statistics.
Syntax
show ntp statistics
Description
Show information about NTP packets.
Examples
Switch(config)# show ntp statistics NTP Global statistics information NTP In Packets : 100 NTP Out Packets : 110 NTP Bad Version Packets : 4 NTP Protocol Error Packets : 0
show ntp status
Syntax
Description
Show the status of NTP.
show ntp status
Example
Switch(config)# show ntp status NTP Status information NTP Status : Disabled NTP Mode : Broadcast Synchronization Status : Synchronized Peer Dispersion : 8.01 sec Stratum Number : 2 Leap Direction : 1 Reference Assoc Id : 1 Clock Offset : 0.0000 sec Reference : 192.0.2.1 Root Delay : 0.00 sec Precision : 2**7 Root Dispersion : 15.91 sec NTP Uptime : 01d 09h 15m Time Resolution : 1 Drift : 0.000000000 sec/sec System Time : Tue Aug 25 04:59:11 2015 Reference Time : Mon Jan 1 00:00:00 1990
show ntp associations
Syntax
show ntp associations [detail
<IP-ADDR>
]
Description
Show the status of configured NTP associations.
Options
Switch(config)# show ntp associations
NTP Associations Entries Address St T When Poll Reach Delay Offset Dispersion -------------- --- -- ---- ----- ------ ------- ------- ---------- 121.0.23.1 16 u - 1024 0 0.000 0.000 0.000 231.45.21.4 16 u - 1024 0 0.000 0.000 0.000 55.21.56.2 16 u - 1024 0 0.000 0.000 0.000 23.56.13.1 3 u 209 1024 377 54.936 -6.159 12.688 91.34.255.216 4 u 132 1024 377 1.391 0.978 3.860
Switch(config)# show ntp associations detail <IP
ADDR>
NTP association information IP address : 172.31.32.2 Peer Mode : Server Status : Configured, Insane, Invalid Peer Poll Intvl : 64 Stratum : 5 Root Delay : 137.77 sec Ref Assoc ID : 0 Root Dispersion : 142.75 Association Name : NTP Association 0 Reach : 376 Reference ID : 16.93.49.4 Delay : 4.23 sec Our Mode : Client Offset : -8.587 sec Our Poll Intvl : 1024 Precision : 2**19 Dispersion : 1.62 sec Association In Packets : 60 Association Out Packets : 60 Association Error Packets : 0 Origin Time : Fri Jul 3 11:39:40 2015 Receive Time : Fri Jul 3 11:39:44 2015 Transmit Time : Fri Jul 3 11:39:44 2015 ----------------------------------------------------------------------------- Filter Delay = 4.23 4.14 2.41 5.95 2.37 2.33 4.26 4.33 Filter Offset = -8.59 -8.82 -9.91 -8.42 -10.51 -10.77 -10.13 -10.11
show ntp authentication
Syntax
Description
Show the authentication status and other information about the authentication key.
show ntp authentication
Validation rules
Validation |
Error/Warning/Prompt |
---|---|
If access-list name is not valid. |
Please enter a valid access-list name. |
If the authentication method is being set to two-factor authentication, various messages display. |
If both the public key and username/password are not configured: Public key and username/password should be configured for a successful two-factor authentication. If public key is configured and username is not configured: Username and password should be configured for a successful two-factor authentication. If the username is configured and public key is not configured: Public key should be configured for a successful two-factor authentication. If “ssh-server” certificate is not installed at the time of enabling certificate-password authentication: The “ssh-server” certificate should be installed for a successful two-factor authentication. |
If the authentication method is set to two-factor while installing the public key, a message displays. |
The client public keys without username will not be considered for the two-factor authentication for the SSH session. |
If the username and the key installation user for that privilege do not match, a message displays and installation is not allowed. This will also happen when the authentication method is set for two-factor. |
The username in the key being installed does not match the username configured on the switch. |
If the maximum number of <username : TA profile> associations is reached for a given TA profile, a message displays. |
Maximum number of username associations with a TA profile is 10. |
If secondary authentication type for two-factor authentication chosen is not "none", a message displays. |
Not legal combination of authentication methods. |
If the authentication method is anything other than two-factor and the two-factor authentication method options are set, a message displays. |
Not legal combination of authentication methods. |
If two-factor authentication is set and user tries to SSH into another system using “ssh <ip | hostname>” command, a message displays. |
SSH client is not supported when the two-factor authentication is enabled. |
If timeSync is in SNTP or Timep when NTP is enabled. |
Timesync is not configured to NTP. |
If timesync is NTP and NTP is enabled and we try to change timesync to SNTP. |
Disable NTP before changing timesync to SNTP or TIMEP. |
If we try to configure NTP servers more than the configured max-associations value. |
The maximum number of NTP servers allowed is 2. |
If we have ‘n’ NTP servers configured and we try to configure a max-associations value less than (n) number of NTP servers already configured. |
Max-associations value cannot be less than the number of NTP servers configured. |
If authentication key-id is not configured. |
Authentication key-id %d has not been configured. |
If key-id is not marked as trusted. |
Key-id %d is not trusted. |
If min poll value is more than max poll value. |
NTP max poll value should be more than min poll value. |
If ipv6 is not enabled on vlan interface. |
IPv6 address not configured on the VLAN. |
Event log messages
Event |
Message |
---|---|
RMON_AUTH_TWO_FACTOR_AUTHEN_STATUS | W 01/01/15 18:24:03 03397: auth: %s. Examples: W 01/01/15 18:24:03 03397: auth: Public key and username/password should be configured for the successful two-factor authentication. W 01/01/15 18:24:03 03397: auth: Username and password should be configured for the successful two-factor authentication. W 01/01/15 18:24:03 03397: auth: Public key should be configured for the successful two-factor authentication. I 01/01/15 18:24:03 03397: auth: The validation of certificate of SSH user ‘user1’ is successful. |
RMON_SSH_KEY_TWO_FACTOR_EN | W 01/01/15 18:24:03 03399: ssh: %s. Examples: W 01/01/15 18:24:03 03399: ssh: The client public keys without username will not be considered for the two-factor authentication for SSH session. W 01/01/15 18:24:03 03399: ssh: The privilege level for the user with the SSH key conflicts with the user configured. |
RMON_SSH_TWO_FACTOR_AUTH_FAIL | W 01/01/15 18:24:03 03398: ssh: %s. Examples: W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in public key authentication. W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in username/password authentication. W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in validating the client certificate. W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed as “ssh-server” certificate is not installed. |
When NTP client enabled. |
NTP client is enabled. |
When NTP client disabled. |
NTP client is disabled. |
When NTP found a new broadcast server. |
A new broadcast server at %s. |
When system clock was updated with new time. |
The system clock time was changed by %ld sec %lu nsec. The new time is %s. |
When NTP stratum was updated. |
The NTP Stratum was changed from %d to %d. |
When all NTP associations are cleared. |
All the NTP server associations are reset. |
When server is not reachable. |
The NTP Server 10.1.1.2 is unreachable. (2 times in 60 seconds) |
When MD5/SHA1 authentication failed. |
The MD5 authentication on the NTP packet failed. The SHA1 authentication on the NTP packet failed. |