NTP Client Configuration
Overview
NTP modes differ based on how NTP allows communication between systems. NTP communication consists of time requests and control queries. Time requests provide the standard client/server relationship in which a client requests time synchronization from an NTP server. Control queries provide ways for remote systems to get configuration information and reconfigure NTP servers.
Support for Default VRF via In-band Management
OcNOS now offers support for NTP over default, management VRFs, and User defined VRFs via in-band management interface & OOB management interface, respectively.
The feature can either be running on the default or management VRF. By default, it runs on the management VRF.
NTP Modes
The following describes the various NTP node types.
Client
An NTP client is configured to let its clock be set and synchronized by an external NTP timeserver. NTP clients can be configured to use multiple servers to set their local time and are able to give preference to the most accurate time sources. They do not, however, provide synchronization services to any other devices.
Server
An NTP server is configured to synchronize NTP clients. Servers can be configured to synchronize any client or only specific clients. NTP servers, however, will accept no synchronization information from their clients and therefore will not let clients update or affect the server's time settings.
Peer
With NTP peers, one NTP-enabled device does not have authority over the other. With the peering model, each device shares its time information with the others, and each device can also provide time synchronization to the others.
Authentication
For additional security, you can configure your NTP servers and clients to use authentication. Routers support MD5 authentication for NTP. To enable a router to do NTP authentication:
1. Enable NTP authentication with the ntp authenticate command.
2. Define an NTP authentication key with the ntp authentication-key vrf management command. A unique number identifies each NTP key. This number is the first argument to the ntp authentication-key vrf management command.
3. 3. Use the ntp trusted-key vrf management command to tell the router which keys are valid for authentication. If a key is trusted, the system will be ready to synchronize to a system that uses this key in its NTP packets. The trusted key should already be configured and authenticated.
NTP Client Configuration with IPv4 Address
NTP client, user can configure an association with a remote server. In this mode the client clock can synchronize to the remote server
After configuring the NTP servers, wait a few minutes before you verify that clock synchronization is successful. When the clock synchronization has actually happened, there will be an ‘*’ symbol along with the interface while you give the “show ntp peers” command.
Topology
SNTP Client and Server
NTP Client for User Management
#configure terminal | Enter Configure mode. |
(config)#feature ntp vrf management | Configure feature on default or management VRF. By default this feature runs on management VRF. |
(config)#ntp enable vrf management | This feature enables ntp. This will be enabled in default. |
(config)#ntp server 10.1.1.1 vrf management | Configure ntp server ip address. |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode. |
Validation
#show ntp peers
-----------------------------------------------------------
Peer IP Address Serv/Peer
-----------------------------------------------------------
10.1.1.1 Server (configured)
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.1.1.1 LOCAL(0) 7 u 14 32 37 0.194 -4.870 3.314
NTP Client for User Defined VRF
#configure terminal | Enter Configure mode. |
(config)#feature ntp vrf vrf1 | Configure feature on default or management VRF. By default this feature runs on management VRF. |
(config)#ntp enable vrf vrf1 | This feature enables ntp. This will be enabled in default. |
(config)#ntp server 192.168.2.2 vrf vrf1 | Configure ntp server ip address. |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode. |
Validation
#show ntp peers
-----------------------------------------------------------
Peer IP Address Serv/Peer
-----------------------------------------------------------
10.1.1.1 Server (configured)
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.1.1.1 LOCAL(0) 7 u 14 32 37 0.194 -4.870 3.314
Maxpoll and Minpoll Configuration
The maximum poll interval are specified in defaults to 6 (64 seconds), but can be increased by the maxpoll option to an upper limit of 16 (18.2 hours). The minimum poll interval defaults to 4 (16 seconds), and this is also the minimum value of the minpoll option.
The client will retry between minpoll and maxpoll range configured for synchronization with the server.
Client for Management VRF
#configure terminal | Enter Configure mode. |
(config)#feature ntp vrf management | Configure feature on default or management VRF. By default this feature runs on management VRF. |
(config)#ntp server 10.1.1.1 maxpoll 7 minpoll 5 vrf management | Configure minpoll and maxpoll range for ntp server. |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode. |
Validation
#show ntp peers
-----------------------------------------------------------
Peer IP Address Serv/Peer
-----------------------------------------------------------
10.1.1.1 Server (configured)
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.1.1.1 LOCAL(0) 7 u 14 32 37 0.194 -4.870 3.314
Client for User Defined VRF
#configure terminal | Enter Configure mode. |
(config)#feature ntp vrf vrf1 | Configure feature on default or management VRF. By default this feature runs on management VRF. |
(config)#ntp server 192.168.2.2 maxpoll 7 minpoll 5 vrf vrf1 | Configure minpoll and maxpoll range for ntp server. |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode. |
Validation
#show ntp peers
-----------------------------------------------------------
Peer IP Address Serv/Peer
-----------------------------------------------------------
10.1.1.1 Server (configured)
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.1.1.1 LOCAL(0) 7 u 14 32 37 0.194 -4.870 3.314
NTP Authentication
When you enable NTP authentication, the device synchronizes to a time source only if the source carries the authentication keys specified with the source by key identifier. The device drops any packets that fail the authentication check, and prevents them from updating the local clock.
Client
#configure terminal | Enter Configure mode. |
(config)#feature ntp vrf vrf1 | Enable feature on default or management VRF. By default this feature runs on management VRF.. |
| |
| |
(config)#ntp server 192.168.2.2 vrf vrf1 | Configure ntp server ip address. |
(config)#ntp authenticate vrf vrf1 | Enable NTP Authenticate. NTP authentication is disabled by default. |
(config)#ntp authentication-key 1 md5 cisco vrf vrf1 | Configure ntp authentication key along with md5 value. |
(config)# ntp request-key 1 vrf vrf1 | Configure reuest-key |
(config)#ntp trusted-key 1 vrf vrf1 | Configure trusted key <1-65535> |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode. |
Validation
#show ntp authentication-status
Authentication enabled
#show ntp authentication-keys
--------------------------
Auth Key MD5 String
--------------------------
1234 SWWX
#show ntp trusted-keys
Trusted Keys:
1234
NTP Client Configuration with IPv6 Address
NTP client, user can configure an association with a remote server. In this mode the client clock can synchronize to the remote server.
Topology
Figure 1-14 shows the sample configuration of NTP Client.
NTP Client topology
NTP Client VRF Management
#configure terminal | Enter configure mode |
(config)#feature ntp vrf management | Configure feature on default or management VRF. By default this feature runs on management VRF. |
(config)# ntp enable vrf management | This feature enables NTP. This will be enabled in default. |
(config)#ntp server 2001::1 vrf management | Configure NTP server IP address. |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode. |
Validation
#show ntp peers
================================================
Peer IP Address Serv/Peer
================================================
2001::1 Server (configured)
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
Remote refid st when poll reach delay offset jitter ==============================================================================
*2001::1 LOCAL(0) 7 u 14 32 37 0.194 -4.870 3.314
NTP Client User Defined VRF
#configure terminal | Enter configure mode |
(config)#feature ntp vrf vrf1 | Configure feature on default or management VRF. By default this feature runs on management VRF. |
(config)# ntp enable vrf vrf1 | This feature enables NTP. This will be enabled in default. |
(config)#ntp server 2001::1 vrf vrf1 | Configure NTP server IP address. |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode. |
Validation
#show ntp peers
================================================
Peer IP Address Serv/Peer
================================================
2001::1 Server (configured)
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
Remote refid st when poll reach delay offset jitter ==============================================================================
*2001::1 LOCAL(0) 7 u 14 32 37 0.194 -4.870 3.314
Maxpoll and Minpoll Configuration
The maximum poll interval are specified in defaults to 6 (64 seconds), but can be increased by the maxpoll option to an upper limit of 16 (18.2 hours). The minimum poll interval defaults to 4 (16 seconds), and this is also the minimum value of the minpoll option. The client will retry between minpoll and maxpoll range configured for synchronization with the server.
Client for VRF Management
#configure terminal | Enter configure mode |
(config)#feature ntp vrf management | Configure feature on default or management VRF. By default this feature runs on management VRF |
(config)#ntp server 2001::1 maxpoll 7 minpoll 5 vrf management | Configure minpoll and maxpoll range for NTP server |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode |
Validation
#show ntp peers
================================================
Peer IP Address Serv/Peer
================================================
2001::1 Server (configured)
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
Remote refid st when poll reach delay offset jitter ==============================================================================
*2001::1 LOCAL(0) 7 u 14 32 37 0.194 -4.870 3.314
Client for User Defined VRF
#configure terminal | Enter configure mode |
(config)#feature ntp vrf vrf1 | Configure feature on default or management VRF. By default this feature runs on management VRF |
(config)#ntp server 2001::1 maxpoll 7 minpoll 5 vrf vrf1 | Configure minpoll and maxpoll range for NTP server |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode |
Validation
#show ntp peers
================================================
Peer IP Address Serv/Peer
================================================
2001::1 Server (configured)
#show ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
Remote refid st when poll reach delay offset jitter ==============================================================================
*2001::1 LOCAL(0) 7 u 14 32 37 0.194 -4.870 3.314
NTP Authentication
When you enable NTP authentication, the device synchronizes to a time source only if the source carries the authentication keys specified with the source by key identifier. The device drops any packets that fail the authentication check, and prevents them from updating the local clock.
Client for VRF Management
#configure terminal | Enter configure mode |
(config)#feature ntp vrf management | Enable feature on default or management VRF. By default this feature runs on management VRF.. |
(config)#ntp server 2001::1 vrf management | Configure NTP server IP address. |
(config)#ntp authenticate vrf management | Enable NTP Authenticate. NTP authentication is disabled by default. |
(config)#ntp authentication-key 1234 md5 text vrf management | Configure NTP authentication key along with MD5 value. |
(config)#ntp trusted-key 1234 vrf management | Configure trusted key |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode. |
Validation
#show ntp authentication-status
Authentication enabled
#show ntp authentication-keys
-------------------------- Auth Key MD5 String --------------------------
1234 SWWX
#show ntp trusted-keys
Trusted Keys: 1234
Client for User Defined VRF
#configure terminal | Enter configure mode |
(config)#feature ntp vrf vrf1 | Enable feature on default or management VRF. By default this feature runs on management VRF.. |
(config)#ntp server 2001::1 vrf vrf1 | Configure NTP server IP address. |
(config)#ntp authenticate vrf vrf1 | Enable NTP Authenticate. NTP authentication is disabled by default. |
(config)#ntp authentication-key 1 md5 cisco vrf vrf1 | Configure NTP authentication key along with MD5 value. |
(config)# ntp request-key 1 vrf vrf1 | Configure request key |
(config)#ntp trusted-key 1 vrf vrf1 | Configure trusted key |
(config)#commit | Commit the configuration |
(config)#exit | Exit from the Configure Mode. |
Validation
#show ntp authentication-status
Authentication enabled
#show ntp authentication-keys
-------------------------- Auth Key MD5 String --------------------------
1234 SWWX
#show ntp trusted-keys
Trusted Keys: 1234