Network Time Protocol (NTP)

Beginning with switch software release 16.01, the NTP Client feature is supported on the following switch models covered in this guide:

  • 2530 (YA software)

  • 2530 (YB software)

  • 2620 (RA software)

  • 2920 (WB software)

The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients in order to correlate events when receiving system logs and other time-specific events from multiple network devices. NTP uses the User Datagram Protocol (UDP) as its transport protocol.

All NTP communications use Coordinated Universal Time (UTC). An NTP server usually receives its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server, and then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each other.

NTP uses a stratum to describe the distance between a network device and an authoritative time source:

  • A stratum 1 time server is directly attached to an authoritative time source (such as a radio or atomic clock or a GPS time source).

  • A stratum 2 NTP server receives its time through NTP from a stratum 1 time server.

Before synchronizing, NTP compares the time reported by several network devices and does not synchronize with one that is significantly different, even if it is a stratum 1.

The security features of NTP can be used to avoid the accidental or malicious setting of incorrect time. One such mechanism is available: an encrypted authentication mechanism.

Though similar, the NTP algorithm is more complex and accurate than the Simple Network Time Protocol (SNTP).


[IMPORTANT: ]

IMPORTANT: Enabling this feature results in synchronizing the system clock; therefore, it may affect all sub-systems that rely on system time.


Commands

The following commands allow the user to configure NTP or show NTP configurations.

timesync

This command is used to configure the protocol used for network time synchronization.

Syntax

[no] timesync { timep | sntp | timep-or-sntp | ntp }

Options

no

Deletes all timesync configurations on the device.

timep

Updates the system clock using TIMEP.

sntp

Updates the system clock using SNTP.

timep-or-sntp

Updates the system clock using TIMEP or SNTP (default).

ntp

Updates the system clock using NTP

Example
Switch(config)# timesync
sntp                  Update the system clock using SNTP.
timep                 Update the system clock using TIMEP.
timep-or-sntp         Update the system clock using TIMEP or SNTP.
ntp                   Update the system clock using NTP.

timesync ntp

This command is used to update the system clock using NTP.

Syntax

timesync ntp

Description

Update the system clock using NTP.

ntp

This command selects the operating mode of the NTP client.

Syntax

ntp [broadcast|unicast]

Options

broadcast

Sets ntp server to operate in broadcast mode.

unicast

Sets ntp server to operate in unicast mode.

Usage

The default mode is broadcast.

[no] ntp

This command disables NTP and removes all NTP configurations on the device.

Syntax
[no] ntp [authentication <key-id>
 | broadcast | enable | max-association 
<integer> | server 
<IP-ADDR> | trap 
<trap-name> | unicast]
Description

Disable NTP and removes the entire NTP configuration.

Options

authentication

Configure NTP authentication.

broadcast

Operate in broadcast mode.

enable

Enable/disable NTP.

max-association

Maximum number of Network Time Protocol (NTP) associations.

server

Configure a NTP server to poll for time synchronization.

trap

Enable/disable NTP traps.

unicast

Operate in unicast mode.

Example
switch(config)# no ntp
This will delete all NTP configurations on this device. Continue [y/n]?

ntp enable

This command is used to enable or disable NTP on the switch.

Syntax

ntp enable

Example
switch(config)# ntp
enable       Enable/disable NTP.
Description

Enable or disable NTP. Use [no] to disable NTP.

Restrictions
Validation Error/Warning/Prompt
If timeSync is in SNTP or Timep when NTP is enabled. Timesync is not configured to NTP.
When timesync is NTP and ntp is enabled and we try to change timesync to SNTP. Disable NTP before changing timesync to SNTP or TIMEP

ntp authentication

This command is used for authentication of NTP server by the NTP client.

Syntax

ntp authentication key-id <KEY-ID> [authentication-mode <MODE> key-value <KEY-STRING>] [trusted]

Parameters/Options

key-id <id>

Sets the key-id for the authentication key.

Subcommands

authentication-mode

Sets the NTP authentication mode

key-value <KEY-STRING>

Sets the key-value for the authentication key.

[trusted]

Sets the authentication key as trusted.

Example
Switch(config)# ntp
Authentication      Configure NTP authentication.


Switch(config)# ntp authentication
key-id              Set the key-id for this authentication key.


Switch(config)# ntp authentication key-id 
<1-4294967295>      Set the authentication key-id.


Switch(config)# ntp authentication key-id 1
authentication-mode  Set the NTP authentication mode.
trusted              Set this authentication key as trusted.


Switch(config)# ntp authentication key-id 1 
authentication-mode|trusted md5
Authenticate using MD5.


Switch(config)# ntp authentication key-id 1 
authentication-mode|trusted md5key-value  Set the NTP authentication key.


Switch(config)# ntp authentication key-id 1
authentication-mode|trusted md5 key-value 
KEY           Enter a string to be set as the NTP authentication key.

ntp authentication key-id

Syntax
ntp authentication key-id 
<key-id> [authentication-mode [md5 | sha1]
 key-value <key-value>] [trusted]
Description

The NTP client authenticates the NTP server.

Options

authentication-mode

Set the NTP authentication mode.

  • md5: Authenticate using MD5.

  • sha1: Authenticate using SHA1.

trusted

Set this authentication key as trusted.

ntp max-association

This command is used to configure the maximum number of servers associated with this NTP client.

Syntax
ntp max-association 
<number>
Options

max-association <number>

Sets the maximum number of NTP associations.

Description

Configure maximum number of servers associated with the client. Up to eight servers can be configured as the maximum.

Restrictions

The range for a maximum number of NTP associations is 1–8.

Example
Switch(config)# ntp
max-associations      Maximum number of NTP associations.

Switch(config)# ntp max-associations
<1-8>                  Enter the number.
Restrictions
Validation Error/Warning/Prompt
When the number of configured NTP servers is more than the max-associations value. The maximum number of NTP servers allowed is <number>.
When the max-associations value is less than the (n) number of configured NTP servers. Max-associations value cannot be less than the number of NTP servers configured.

ntp server

This command is used to configure the NTP servers.

Syntax

[no] ntp server

ntp server <IP-ADDR|IPv6-ADDR> [key <key-id>] [oobm] [max-poll <max-poll-val>][min-poll <min-poll-val>][burst | iburst] [version <1-4>]

Parameters/Options

[no]

Removes the unicast NTP configurations on the device.

Subcommands

IP-ADDR

Sets the IPv4 address of the NTP server.

IPV6-ADDR

Sets the IPv6 address of the NTP server.

oobm

Specifies that the NTP Unicast server is accessible over an OOBM interface.

key <key-id>

Specifies the authentication key.

max-poll <max-poll-val>

Configures the maximum time intervals in power of 2 seconds. Range is 4–17 (e.g., 5 would translate to 2 raised to 5 or 32).

min-poll <min-poll-val>

Configures the minimum time intervals in seconds. Range is 4–17.

burst

Enables burst mode.

iburst

Enables initial burst mode.

version

Sets version 1–4.

Usage

A maximum of 8 NTP servers can be configured.

Example
Switch(config)# ntp
server          Allow the software clock to be synchronized by an NTP
time server.
broadcast       Operate in broadcast mode.
unicast         Operate in unicast mode.


Switch(config)# ntp server
IP-ADDR         IPv4 address of the NTP server. 
IPV6-ADDR       IPv6 address of the NTP server.

Switch(config)# ntp server <IP-ADDR>
Key             Specify the authentication key.


Switch(config)# ntp server <IP-ADDR> key key-id
Max-poll        Configure the maximum time intervals in seconds.

Switch(config)# ntp server <IP-ADDR> key key-id max-poll
<4-17>          Enter an integer number.


Switch(config)# ntp server <IP-ADDR> key key-id
Min-poll        Configure the minimum time intervals in seconds.


Switch(config)# ntp server <IP-ADDR> key key-id min-poll
<4-17>          Enter an integer number.


Switch(config)# ntp server <IP-ADDR> key key-id prefer max-poll 
<max-poll-val> min-poll <min-poll-val>
iburst          Enable initial burst (iburst) mode.
burst           Enable burst mode.


Switch(config)# ntp server IP-ADDR key key-id prefer maxpoll <number>
minpoll <number> iburst
Restrictions
Validation Error/Warning/Prompt
If authentication key-id not configured Authentication key-id has not been configured.
If Key-id is not marked as trusted Key-id is not trusted.
When min poll value is more than max poll value NTP max poll value should be more than min poll value.

ntp server key-id

Syntax
ntp server <IP-ADDR |IPV6-ADDR> 
key—id <key-id> [max-poll 
<max-poll-val>] [min-poll 
<min-poll-val>] [burst | iburst]
Description

Configure the NTP server. <IP-ADDR> indicates the IPv4 address of the NTP server. <IPV6-ADDR> indicates the IPv6 address of the NTP server.

Options

burst

Enables burst mode.

iburst

Enables initial burst (iburst) mode.

key-id

Set the authentication key to use for this server.

max-poll <max-poll-val>

Configure the maximum time intervals in seconds.

min-poll <min-poll-val>

Configure the minimum time intervals in seconds.

ntp ipv6-multicast

This command is used to configure NTP multicast on a VLAN interface.

Syntax

ntp ipv6-multicast

Description

Configure the interface to listen to the NTP multicast packets.

Example
Switch(vlan-2)# ntp
ipv6-multicast       Configure the interface to listen to the NTP multicast packets.
Restrictions
Validation Error/Warning/Prompt
If ipv6 is not enabled on vlan interface IPv6 address not configured on the VLAN.

debug ntp

This command is used to display debug messages for NTP.

Syntax
debug ntp <event | 
packet>
Options

event

Displays event log messages related to NTP.

packets

Displays NTP packet messages.

Description

Enable debug logging. Use [no] to disable debug logging.

Example
Switch(config)# debug ntp
event                 Display event log messages related to NTP.
packet                Display NTP packet messages.

ntp trap

This command is used to configure NTP traps.

Syntax
ntp trap <trap-name>
Description

Enable NTP traps. Use [no] to disable NTP traps.

Options

ntp-mode-change

Trap name resulting in send notification when the NTP entity changes mode, including starting and stopping (if possible).

ntp-stratum-change

Trap name resulting in send notification when stratum level of NTP changes.

ntp-peer-change

Trap name resulting in send notification when a (new) syspeer has been selected.

ntp-new-association

Trap name resulting in send notification when a new association is mobilized.

ntp-remove-association

Trap name resulting in send notification when an association is demobilized.

ntp-config-change

Trap name resulting in send notification when the NTP configuration has changed.

ntp-leapsec-announced

Trap name resulting in send notification when a leap second has been announced.

ntp-alive-heartbeat

Trap name resulting in send notification periodically (as defined by ntpEntHeartbeatInterval) to indicate that the NTP entity is still alive.

all

Enable all traps.

Usage

The traps defined below are generated as the result of finding an unusual condition while parsing an NTP packet or a processing a timer event. Note that if more than one type of unusual condition is encountered while parsing the packet or processing an event, only the first one will generate a trap. Possible trap names are:

- 'ntpEntNotifModeChange' The notification to be sent when the NTP entity changes mode, including starting and stopping (if possible).

- 'ntpEntNotifStratumChange' The notification to be sent when stratum level of NTP changes.

- 'ntpEntNotifSyspeerChanged' The notification to be sent when a (new) syspeer has been selected.

- 'ntpEntNotifAddAssociation' The notification to be sent when a new association is mobilized.

- 'ntpEntNotifRemoveAssociation' The notification to be sent when an association is demobilized.

- 'ntpEntNotifConfigChanged' The notification to be sent when the NTP configuration has changed.

- 'ntpEntNotifLeapSecondAnnounced' The notification to be sent when a leap second has been announced.

- 'ntpEntNotifHeartbeat' The notification to be sent periodically (as defined by ntpEntHeartbeatInterval) to indicate that the NTP entity is still alive.

- 'ntpEntNotifAll' The notification to be sent when all traps have been enabled

show ntp statistics

This command is used to show NTP statistics.

Syntax

show ntp statistics

Description

Show information about NTP packets.

Examples
Switch(config)# show ntp statistics

NTP Global statistics information

NTP In Packets                : 100
NTP Out Packets               : 110
NTP Bad Version Packets       : 4
NTP Protocol Error Packets    : 0

HP-Switch(config)# show ntp statistics

NTP Global statistics information

NTP In Packets             : 100
NTP Out Packets            : 110
NTP Bad Version Packets    : 4    
NTP Protocol Error Packets : 0

show ntp status

Syntax
Description

Show the status of NTP.

show ntp status

Example
Switch(config)# show ntp status

NTP Status information
NTP Status             : Disabled             NTP Mode        : Broadcast
Synchronization Status : Synchronized         Peer Dispersion : 8.01 sec
Stratum Number         : 2                    Leap Direction  : 1
Reference Assoc Id     : 1                    Clock Offset    : 0.0000 sec
Reference              : 192.0.2.1            Root Delay      : 0.00 sec
Precision              : 2**7                 Root Dispersion : 15.91 sec
NTP Uptime             : 01d 09h 15m          Time Resolution : 1
Drift                  : 0.000000000 sec/sec

System Time            : Tue Aug 25 04:59:11 2015
Reference Time         : Mon Jan  1 00:00:00 1990

show ntp associations

Syntax
show ntp associations [detail 
<IP-ADDR>]
Description

Show the status of configured NTP associations.

Options

detail

Show the detailed status of NTP associations configured for the system.

Switch(config)# show ntp associations

                    NTP Associations Entries

Address          St   T  When Poll  Reach   Delay    Offset   Dispersion   
--------------   ---  -- ---- ----- ------ -------   -------  ----------
121.0.23.1       16   u   -  1024    0     0.000     0.000     0.000
231.45.21.4      16   u   -  1024    0     0.000     0.000     0.000
55.21.56.2       16   u   -  1024    0     0.000     0.000     0.000
23.56.13.1        3   u 209  1024  377     54.936   -6.159     12.688
91.34.255.216     4   u 132  1024  377     1.391     0.978     3.860

Switch(config)# show ntp associations detail <IP ADDR>

NTP association information

IP address       : 172.31.32.2                  Peer Mode       : Server  
Status           : Configured, Insane, Invalid  Peer Poll Intvl : 64 
Stratum          : 5                            Root Delay      : 137.77 sec
Ref Assoc ID     : 0                            Root Dispersion : 142.75
Association Name : NTP Association 0            Reach           : 376
Reference ID     : 16.93.49.4                   Delay           : 4.23 sec
Our Mode         : Client                       Offset          : -8.587 sec 
Our Poll Intvl   : 1024                         Precision       : 2**19  

Dispersion       : 1.62 sec
Association In Packets    : 60
Association Out Packets   : 60
Association Error Packets : 0
Origin Time      : Fri Jul 3 11:39:40 2015
Receive Time     : Fri Jul 3 11:39:44 2015
Transmit Time    : Fri Jul 3 11:39:44 2015

-----------------------------------------------------------------------------
Filter Delay =   4.23    4.14    2.41    5.95    2.37    2.33    4.26    4.33
Filter Offset = -8.59   -8.82   -9.91   -8.42  -10.51  -10.77  -10.13  -10.11

show ntp authentication

Syntax
Description

Show the authentication status and other information about the authentication key.

show ntp authentication

Switch(config)# show ntp authentication

NTP Authentication Information

Key-ID     Auth Mode   Trusted
--------   ----------  -------
67            md5        yes 
7             md5        no  
1             sha1       yes 
2             sha1       no

Validation rules

Validation

Error/Warning/Prompt

If access-list name is not valid.

Please enter a valid access-list name.

If the authentication method is being set to two-factor authentication, various messages display.

If both the public key and username/password are not configured:

Public key and username/password should be configured for a successful two-factor authentication.

If public key is configured and username is not configured:

Username and password should be configured for a successful two-factor authentication.

If the username is configured and public key is not configured:

Public key should be configured for a successful two-factor authentication.

If “ssh-server” certificate is not installed at the time of enabling certificate-password authentication:

The “ssh-server” certificate should be installed for a successful two-factor authentication.

If the authentication method is set to two-factor while installing the public key, a message displays.

The client public keys without username will not be considered for the two-factor authentication for the SSH session.

If the username and the key installation user for that privilege do not match, a message displays and installation is not allowed.

This will also happen when the authentication method is set for two-factor.

The username in the key being installed does not match the username configured on the switch.

If the maximum number of <username : TA profile> associations is reached for a given TA profile, a message displays.

Maximum number of username associations with a TA profile is 10.

If secondary authentication type for two-factor authentication chosen is not "none", a message displays.

Not legal combination of authentication methods.

If the authentication method is anything other than two-factor and the two-factor authentication method options are set, a message displays.

Not legal combination of authentication methods.

If two-factor authentication is set and user tries to SSH into another system using “ssh <ip | hostname>” command, a message displays.

SSH client is not supported when the two-factor authentication is enabled.

If timeSync is in SNTP or Timep when NTP is enabled.

Timesync is not configured to NTP.

If timesync is NTP and NTP is enabled and we try to change timesync to SNTP.

Disable NTP before changing timesync to SNTP or TIMEP.

If we try to configure NTP servers more than the configured max-associations value.

The maximum number of NTP servers allowed is 2.

If we have ‘n’ NTP servers configured and we try to configure a max-associations value less than (n) number of NTP servers already configured.

Max-associations value cannot be less than the number of NTP servers configured.

If authentication key-id is not configured.

Authentication key-id %d has not been configured.

If key-id is not marked as trusted.

Key-id %d is not trusted.

If min poll value is more than max poll value.

NTP max poll value should be more than min poll value.

If ipv6 is not enabled on vlan interface.

IPv6 address not configured on the VLAN.

Event log messages

Event

Message

RMON_AUTH_TWO_FACTOR_AUTHEN_STATUS

W 01/01/15 18:24:03 03397: auth: %s.

Examples:

W 01/01/15 18:24:03 03397: auth: Public key and username/password should be configured for the successful two-factor authentication.

W 01/01/15 18:24:03 03397: auth: Username and password should be configured for the successful two-factor authentication.

W 01/01/15 18:24:03 03397: auth: Public key should be configured for the successful two-factor authentication.

I 01/01/15 18:24:03 03397: auth: The validation of certificate of SSH user ‘user1’ is successful.

RMON_SSH_KEY_TWO_FACTOR_EN

W 01/01/15 18:24:03 03399: ssh: %s.

Examples:

W 01/01/15 18:24:03 03399: ssh: The client public keys without username will not be considered for the two-factor authentication for SSH session.

W 01/01/15 18:24:03 03399: ssh: The privilege level for the user with the SSH key conflicts with the user configured.

RMON_SSH_TWO_FACTOR_AUTH_FAIL

W 01/01/15 18:24:03 03398: ssh: %s.

Examples:

W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in public key authentication.

W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in username/password authentication.

W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in validating the client certificate.

W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed as “ssh-server” certificate is not installed.

When NTP client enabled.

NTP client is enabled.

When NTP client disabled.

NTP client is disabled.

When NTP found a new broadcast server.

A new broadcast server at %s.

When system clock was updated with new time.

The system clock time was changed by %ld sec %lu nsec. The new time is %s.

When NTP stratum was updated.

The NTP Stratum was changed from %d to %d.

When all NTP associations are cleared.

All the NTP server associations are reset.

When server is not reachable.

The NTP Server 10.1.1.2 is unreachable. (2 times in 60 seconds)

When MD5/SHA1 authentication failed.

The MD5 authentication on the NTP packet failed.

The SHA1 authentication on the NTP packet failed.