NTP Server Configuration
The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients so that you can correlate events when you receive system logs and other time-specific events from multiple network de-vices. NTP uses the User Datagram Protocol (UDP) as its transport protocol. All NTP communications use Coordinated Universal Time (UTC).
An NTP server usually receives its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server, and then distributes this time across the network.
Above explained NTP Server and Client functionality will be supported in OcNOS. NTP Access restrictions can be configured to allow Client devices to access NTP Server.
Topology
The procedures in this section use the topology as mentioned below :
Setup consists of two nodes. One node acting as NTP Master and the other node acting as NTP Client.
Synchronization of NTP Master and NTP Client
Configuration
NTP Master
#configure terminal | Enter configure mode |
(config)#feature ntp vrf management | Enable feature ntp |
(config)#ntp enable vrf management | Enable ntp |
(config)#ntp master vrf management | Configure the node as NTP master |
(config)#ntp master stratum 1 vrf management | Configure the ntp stratum level as 1 indicating that it is using local clock |
(config)#ntp allow 10.12.20.6 vrf management | Configure ntp client address in the ntp allow list |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode |
NTP Client
#configure terminal | Enter configure mode. |
(config)#feature ntp vrf management | Enable feature ntp. |
(config)#ntp enable vrf management | Enable ntp |
(config)#ntp server 10.12.20.5 vrf management | Configure ntp server address for the sync to happen |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit Configure mode |
Validation
Check the local clock synchronization in the NTP Master as mentioned below:
VTEP1#show ntp peer-status
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 1 l 59 64 377 0.000 0.000 0.000
Check the ntp client synchronization status as mentioned below:
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 4 16 377 0.137 -0.030 0.004
Synchronization of more than one NTP clients with the NTP Master
In the below section, check the Synchronization of more than one NTP clients with the NTP Master using Subnet defintion on the NTP Master.
Topology
The procedures in this section use the topology as mentioned below:
Setup consists of three nodes. One node acting as NTP Master and the other two nodes acting as NTP Clients.
Synchronization of more than one NTP clients with NTP Master using subnet definition
Configuration
NTP Master
#configure terminal | Enter configure mode |
(config)# feature ntp vrf management | Enable feature ntp |
(config)# ntp enable vrf management | Enable ntp |
(config)# ntp master vrf management | Configure the node as NTP master |
(config)# ntp master stratum 1 vrf management | Configure the ntp stratum level as 1 indicating that it is using local clock |
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 vrf management | Configure the mask in the ntp allow list |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)# exit | Exit configure mode |
NTP Client1
#configure terminal | Enter configure mode. |
(config)# feature ntp vrf management | Enable feature ntp. |
(config)# ntp enable vrf management | Enable ntp |
(config)# ntp server 10.12.20.5 vrf management | Configure ntp server address for the sync to happen |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)# exit | Exit Configure mode |
NTP Client2
#configure terminal | Enter configure mode. |
(config)# feature ntp vrf management | Enable feature ntp. |
(config)# ntp enable vrf management | Enable ntp |
(config)# ntp server 10.12.20.5 vrf management | Configure ntp server address for the sync to happen |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)# exit | Exit Configure mode |
Validation
Check the local clock synchronization in the NTP Master as mentioned below:
VTEP1#show ntp peer-status
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 1 l 59 64 377 0.000 0.000 0.000
Check the ntp client1 synchronization status as mentioned below :
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 8 32 377 0.153 -0.053 0.020
Check the ntp client2 synchronization status as mentioned below:
VTEP2#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 14 16 377 0.150 -0.686 0.034
Synchronization with Authentication
In the below section, check the synchronization of NTP Master and NTP Client with Authentication.
Topology
The procedures in this section use the topology as mentioned below:
Setup consists of three nodes. One node acting as NTP Master and the other two nodes acting as NTP Clients.
Synchronization of NTP Master and NTP Clients using authentication
Configuration
NTP Master
#configure terminal | Enter configure mode |
(config)# feature ntp vrf management | Enable feature ntp |
(config)# ntp enable vrf management | Enable ntp |
(config)# ntp master vrf management | Configure the node as NTP master |
(config)# ntp master stratum 1 vrf management | Configure the ntp stratum level as 1 indicating that it is using local clock |
(config)# ntp authenticate vrf management | Configure ntp server for authentication |
(config)# ntp authentication-key 65 md5 test123 vrf management | Configure ntp authentication key with password |
(config)# ntp trusted-key 65 vrf management | Configure ntp trusted key |
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 vrf management | Configure the mask in the ntp allow list |
(config)#commit | Commit the configuration |
(config)# exit | Exit configure mode |
NTP Client1
#configure terminal | Enter configure mode. |
(config)# feature ntp vrf management | Enable feature ntp. |
(config)# ntp enable vrf management | Enable ntp |
(config)# ntp authenticate vrf management | Configure ntp client for authentication |
(config)# ntp authentication-key 65 md5 test123 vrf management | Configure ntp authentication key with password |
(config)# ntp trusted-key 65 vrf management | Configure ntp trusted key |
(config)# ntp server 10.12.20.5 key 65 vrf management | Configure ntp server address for the sync to happen with authentication key |
(config)#commit | Commit the configuration |
(config)# exit | Exit Configure mode |
NTP Client2
#configure terminal | Enter configure mode. |
(config)# feature ntp vrf management | Enable feature ntp. |
(config)# ntp enable vrf management | Enable ntp |
(config)# ntp authenticate vrf management | Configure ntp client for authentication |
(config)# ntp authentication-key 65 md5 test123 vrf management | Configure ntp authentication key with password |
(config)# ntp trusted-key 65 vrf management | Configure ntp trusted key |
(config)# ntp server 10.12.20.5 key 65 vrf management | Configure ntp server address for the sync to happen with authentication key |
(config)#commit | Commit the configuration |
(config)# exit | Exit Configure mode |
Validation
Check the local clock synchronization in the NTP Master as mentioned below:
VTEP1#show ntp peer-status
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 1 l 64 64 377 0.000 0.000 0.000
Check the ntp client1 synchronization status as mentioned below:
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 12 64 377 0.185 0.002 0.006
Check the ntp client2 synchronization status as mentioned below :
VTEP2#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 16 32 377 0.175 -0.360 0.226
Synchronization of NTP Server and NTP Clients with NTP ACL
The command nomodify ntp acl signifies NTP Clients must be denied ntpq(1) and ntpdc(1) queries which attempt to modify the state of the server (i.e., run time reconfiguration).Queries which return information shall be permitted.
The command noquery ntp acl signifies Deny ntpq(1) and ntpdc(1) queries by NTP Clients. But Time service shall not be affected.
The command nopeer ntp acl signifies NTP Clients shall be denied access if unauthenticated packets which would result in mobilizing a new association is sent.
The command notrap ntp acl signifies NTP Clients shall be declined to provide mode 6 control message trap service to matching hosts. The trap service is a sub-system of the ntpq(1) control message protocol which is intended for use by remote event logging programs.
The command KoD ntp acl signifies When an access violation happens by NTP Clients, the server must send the KoD (kiss-o'-death) packets. KoD packets are rate limited to no more than one per second. If another KoD packet occurs within one second after the last one, the packet is dropped.
Topology
The procedures in this section use the topology as mentioned below:
Setup consists of three nodes. One node acting as NTP Master and the other two nodes acting as NTP Clients.
Synchronization of NTP Master and NTP Clients with NTP ACL
Configuration
NTP Master
#configure terminal | Enter configure mode |
(config)# feature ntp vrf management | Enable feature ntp |
(config)# ntp enable vrf management | Enable ntp |
(config)# ntp master vrf management | Configure the node as NTP master |
(config)# ntp master stratum 1 vrf management | Configure the ntp stratum level as 1 indicating that it is using local clock |
(config)# ntp authenticate vrf management | Configure ntp server for authentication |
(config)# ntp authentication-key 65 md5 test123 vrf management | Configure ntp authentication key with password |
(config)# ntp trusted-key 65 vrf management | Configure ntp trusted key |
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 nomodify vrf management | Configure the ntp acl nomodify in the ntp allow list |
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 noquery vrf management | Configure the ntp acl noquery in the ntp allow list |
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 nopeer vrf management | Configure the ntp acl nopeer in the ntp allow list |
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 notrap vrf management | Configure the ntp acl notrap in the ntp allow list |
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 kod vrf management | Configure the ntp acl KoD in the ntp allow list |
(config)#commit | Commit the configuration |
(config)# exit | Exit configure mode |
NTP Client1
#configure terminal | Enter configure mode. |
(config)# feature ntp vrf management | Enable feature ntp. |
(config)# ntp enable vrf management | Enable ntp |
(config)# ntp authenticate vrf management | Configure ntp client for authentication |
(config)# ntp authentication-key 65 md5 test123 vrf management | Configure ntp authentication key with password |
(config)# ntp trusted-key 65 vrf management | Configure ntp trusted key |
(config)# ntp server 10.12.20.5 key 65 vrf management | Configure ntp server address for the sync to happen with authentication key |
(config)#commit | Commit the configuration |
(config)# exit | Exit Configure mode |
NTP Client2
#configure terminal | Enter configure mode. |
(config)# feature ntp vrf management | Enable feature ntp. |
(config)# ntp enable vrf management | Enable ntp |
(config)# ntp authenticate vrf management | Configure ntp client for authentication |
(config)# ntp authentication-key 65 md5 test123 vrf management | Configure ntp authentication key with password |
(config)# ntp trusted-key 65 vrf management | Configure ntp trusted key |
(config)# ntp server 10.12.20.5 key 65 vrf management | Configure ntp server address for the sync to happen with authentication key |
(config)#commit | Commit the configuration |
(config)# exit | Exit Configure mode |
Validation
Normal Time synchronization is not affected.
Check the local clock synchronization in the NTP Master as mentioned below:
VTEP1#show ntp peer-status
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 1 l 40 64 377 0.000 0.000 0.000
VTEP1#
Check the ntp client1 synchronization status as mentioned below:
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 13 16 377 0.180 0.019 0.013
Check the ntp client2 synchronization status as mentioned below:
VTEP2#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 LOCAL(0) 2 u 15 16 377 0.185 -0.018 0.017
Synchronization of NTP Server and NTP Clients with NTP ACL configured as noserve
The command noserve ntp acl signifies NTP Clients shall be denied all packets except ntpq(1) and ntpdc(1) queries.
Topology
The procedures in this section use the topology as mentioned below:
Setup consists of three nodes. One node acting as NTP Master and the other two nodes acting as NTP Clients.
Synchronization of NTP Master and NTP Clients with NTP ACL as noserve
NTP Master
#configure terminal | Enter configure mode |
(config)# feature ntp vrf management | Enable feature ntp |
(config)# ntp enable vrf management | Enable ntp |
(config)# ntp master vrf management | Configure the node as NTP master |
(config)# ntp master stratum 1 vrf management | Configure the ntp stratum level as 1 indicating that it is using local clock |
(config)# ntp authenticate vrf management | Configure ntp server for authentication |
(config)# ntp authentication-key 65 md5 test123 vrf management | Configure ntp authentication key with password |
(config)# ntp trusted-key 65 vrf management | Configure ntp trusted key |
(config)# ntp allow 10.12.20.6 mask 255.255.255.0 noserve vrf management | Configure the ntp acl noserve in the ntp allow list |
(config)#commit | Commit the configuration |
(config)# exit | Exit configure mode |
NTP Client1
#configure terminal | Enter configure mode. |
(config)#feature ntp vrf management | Enable feature ntp. |
(config)#ntp enable vrf management | Enable ntp |
(config)#ntp authenticate vrf management | Configure ntp client for authentication |
(config)#ntp authentication-key 65 md5 test123 vrf management | Configure ntp authentication key with password |
(config)#ntp trusted-key 65 vrf management | Configure ntp trusted key |
(config)#ntp server 10.12.20.5 key 65 vrf management | Configure ntp server address for the sync to happen with authentication key |
(config)#commit | Commit the configuration |
(config)#exit | Exit Configure mode |
NTP Client2
#configure terminal | Enter configure mode. |
(config)#feature ntp vrf management | Enable feature ntp. |
(config)#ntp enable vrf management | Enable ntp |
(config)#ntp authenticate vrf management | Configure ntp client for authentication |
(config)#ntp authentication-key 65 md5 test123 vrf management | Configure ntp authentication key with password |
(config)#ntp trusted-key 65 vrf management | Configure ntp trusted key |
(config)#ntp server 10.12.20.5 key 65 vrf management | Configure ntp server address for the sync to happen with authentication key |
(config)#commit | Commit the configuration |
(config)#exit | Exit Configure mode |
Validation
Check that with NTP acl configured as noserve, Normal Time synchronization is affected and there is no synchronization.
Check the local clock synchronization in the NTP Master as mentioned below:
VTEP1#show ntp peer-status
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 1 l 41 64 377 0.000 0.000 0.000
Check the ntp client1 synchronization status as mentioned below:
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
10.12.20.5 .INIT. 16 u - 64 0 0.000 0.000 0.000
Check the ntp client2 synchronization status as mentioned below:
VTEP2#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
10.12.20.5 .INIT. 16 u - 64 0 0.000 0.000 0.000
Synchronization of NTP Client with Stratum 2 NTP Master
In the below section, check Synchronization of NTP Client with Stratum 2 NTP Master.
Topology
The procedures in this section use the topology as mentioned below:
Setup consists of three nodes. First node acting as Stratum 1 NTP Master, Second node acting as Stratum 2 NTP master and the third node acting as NTP client.
Synchronization of Stadium 2 NTP Master with NTP Client
Configuration
Stratum 1 NTP Master
#configure terminal | Enter configure mode |
(config)#feature ntp vrf management | Enable feature ntp |
(config)#ntp enable vrf management | Enable ntp |
(config)#ntp master vrf management | Configure the node as NTP master |
(config)#ntp master stratum 1 vrf management | Configure the ntp stratum level as 1 indicating that it is using local clock |
(config)#ntp allow 10.12.20.5 vrf management | Configure the ntp client ip address in the ntp allow list |
(config)#commit | Commit the configuration |
(config)#exit | Exit configure mode |
Stratum 2 NTP Server/NTP Client
#configure terminal | Enter configure mode. |
(config)#feature ntp vrf management | Enable feature ntp. |
(config)#ntp enable vrf management | Enable ntp |
(config)#ntp master vrf management | Configure the node as NTP Master |
(config)#ntp master stratum 2 vrf management | Configure the node as stratum 2 ntp master |
(config)#ntp allow 10.12.20.6 vrf management | Configure NTP client ip address in the ntp allow list |
(config)#ntp server 10.12.20.7 vrf management | Configure the stratum 1 NTP master ip address for time synchronization |
(config)#commit | Commit the configuration |
(config)#exit | Exit Configure mode |
NTP Client
#configure terminal | Enter configure mode. |
(config)#feature ntp vrf management | Enable feature ntp. |
(config)#ntp enable vrf management | Enable ntp |
(config)#ntp server 10.12.20.5 vrf management | Configure ntp server address for the sync to happen |
(config)#commit | Commit the configuration |
(config)#exit | Exit Configure mode |
Validation
Check that NTP Client successfully synchronizes the time with stratum 2 NTP Master.
Check the local clock synchronization in the Stratum 1 NTP Master as mentioned below:
VTEP2#show ntp peer-status
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 1 l 22 64 377 0.000 0.000 0.000
Check the Stratum 2 NTP Master/NTP client synchronization status as mentioned below:
VTEP1#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.7 LOCAL(0) 2 u 33 64 377 0.145 0.010 0.009
127.127.1.0 .LOCL. 2 l 110m 64 0 0.000 0.000 0.000
Check the NTP Client synchronization status as mentioned below:
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode,
x - source false ticker
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.12.20.5 10.12.20.7 3 u 16 64 377 0.137 -2.596 0.235