Tags

,

Network Time Protocol (NTP) is used to synchronize a device clock with external NTP server. You can configure a Cisco IOS router as NTP server by configuring “ntp master <stratum> ” CLI command. Stratum indicate how many times information (time-snyc) being relayed. For example your router is connected to a IP clock directly then stratum is 1.

Switches cannot be configured for this command as it is not supported on those platform. But when a switch get time from external source, it can relay the time information to other devices on your network. In other words the given switch (let’s say CAT2) has been configured as client (for an external source – CME) then other devices (CAT1, CAT3, CAT4) can be configured as NTP client of CAT2.

We will use following topology to see how we can configure NTP

NTP-01

In my CME router configured for external time server & get the time from that. Let’s say we want to make that NTP master with stratum 2. If you want to specify the source interface of NTP packets you can use “ntp soure <interface>” CLI command. So here is my configuration in CME.

CME(config)#ntp server 131.172.4.103
CME(config)#ntp master 2
CME(config)#ntp source loopback 0

Now you can configure all your internal devices to sync with CME by using “ntp server 10.10.205.20” command. But in this exercise we will configure CAT2 for that & make other switches get time from CAT2. Here is how you can configure it & verify on CAT2. I have made ntp source as vlan 10 (this is not mandatory). Note that stratum is 2 which is configured on our CME.

CAT2(config)#ntp server 10.10.205.20
CAT2(config)#ntp source vlan10

CAT2(config)#do sh clock
05:22:05.980 AEST Sun Apr 28 2013

CAT2(config)#do sh ntp ass

      address         ref clock     st  when  poll reach  delay  offset    disp
*~10.10.205.20     131.172.4.103     2     1  1024  377     3.3   -0.23     0.5
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

CAT2(config)#do sh ntp ass detail
10.10.205.20 configured, our_master, sane, valid, stratum 2
ref ID 131.172.4.103, time D526A1E1.60763209 (05:13:37.376 AEST Sun Apr 28 2013)
our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
root delay 6.38 msec, root disp 0.90, reach 377, sync dist 6.226
delay 3.31 msec, offset -0.2291 msec, dispersion 0.49
precision 2**24, version 3
org time D526A3E0.A281F68F (05:22:08.634 AEST Sun Apr 28 2013)
rcv time D526A3E0.A2FDB02D (05:22:08.636 AEST Sun Apr 28 2013)
xmt time D526A3E0.A222B4D9 (05:22:08.633 AEST Sun Apr 28 2013)
filtdelay =     3.31    2.53    2.64    1.31    2.84    2.62    3.80    2.66
filtoffset =   -0.23    0.25    0.08    0.76    0.01    0.10   -0.48    0.08
filterror =     0.02    0.03    0.05    0.06    0.08    0.09    0.11    0.12

Here is CAT1 configuration & verification. Note that stratum has changed to 3 which indicate an additional hop in the time relaying process.

CAT1(config)#ntp source Vlan10
CAT1(config)#ntp server 10.10.10.3

CAT1(config)#do sh clock  
05:57:11.867 AEST Sun Apr 28 2013
CAT1(config)#do sh ntp ass

      address         ref clock     st  when  poll reach  delay  offset    disp
*~10.10.10.3       10.10.205.20      3     0    64  377     1.4   -0.68     0.2
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

Now let’s add some complexity with Authentication. In NTP, client is the one who needs to authenticate NTP server is valid (Not like normal client-server environment where server authenticates client). Therefore you have to configure NTP authentication commands on client devices & only ntp-key is required to  configure on NTP server.

Here are the NTP authentication configuration required at client (CAT1) device.

CAT1(config)#ntp authenticate
CAT1(config)#ntp authentication-key 1 md5 mrn-cciew
CAT1(config)#ntp trusted-key 1
CAT1(config)#ntp server 10.10.10.3 key 1

Only authentication key to be configured on NTP server (CAT2)

CAT2(config)#ntp authentication-key 1 md5 mrn-cciew

Now you can verify proper NTP authentication on client by using “show  ntp association detail” command. Here is the output at CAT1.

CAT1#show ntp associations detail 
10.10.10.3 configured, authenticated, our_master, sane, valid, stratum 3
ref ID 10.10.205.20, time D526ABE0.AF0826E0 (05:56:16.683 AEST Sun Apr 28 2013)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 10.10 msec, root disp 2.29, reach 363, sync dist 135.666
delay 4.10 msec, offset 0.3546 msec, dispersion 126.28
precision 2**18, version 3
org time D526AE45.487C7C0C (06:06:29.283 AEST Sun Apr 28 2013)
rcv time D526AE45.48EBF37A (06:06:29.284 AEST Sun Apr 28 2013)
xmt time D526AE45.47D3378B (06:06:29.280 AEST Sun Apr 28 2013)
filtdelay =     4.10    8.47    0.00    2.47    4.38    4.06    4.26    3.54
filtoffset =    0.35    2.86    0.00   -0.53   -0.67   -0.33   -0.12   -0.91
filterror =     0.02    0.93 16000.0    3.57    4.55    5.52    6.50    7.48

You can configure an ACL to control what devices can get time from your NTP server. In our example will configure an ACL on CAT2 & control what devices can get time from that. Here is the configuration syntax for that.

CAT2(config)#ntp ?
  access-group        Control NTP access
  allow               Allow processing of packets
  authenticate        Authenticate time sources
  authentication-key  Authentication key for trusted time sources
  broadcastdelay      Estimated round-trip delay
  clock-period        Length of hardware clock tick
  logging             Enable NTP message logging
  max-associations    Set maximum number of associations
  peer                Configure NTP peer
  server              Configure NTP server
  source              Configure interface for source address
  trusted-key         Key numbers for trusted time sources

CAT2(config)#ntp access-group ?
  peer        Provide full access
  query-only  Allow only control queries
  serve       Provide server and query access
  serve-only  Provide only server access

CAT2(config)#ntp access-group serve-only ?
  <1-99>       Standard IP access list
  <1300-1999>  Standard IP access list (expanded range)

CAT2(config)#ntp access-group serve-only 10

CAT2(config)#access-list 10 permit 10.10.10.2
CAT2(config)#access-list 10 permit 10.10.10.4
CAT2(config)#access-list 10 permit 10.10.10.4

Here is the CAT3 & CAT4 configuration & verification of authenticated NTP time synchronization.

CAT3(config)#ntp source vlan10
CAT3(config)#ntp authenticate
CAT3(config)#ntp authentication-key 1 md5 mrn-cciew
CAT3(config)#ntp trusted-key 1
CAT3(config)#ntp server 10.10.10.3 key 1 

CAT3(config)#do sh ntp ass de
10.10.10.3 configured, authenticated, our_master, sane, valid, stratum 3
ref ID 10.10.205.20, time D526AFE0.B227FFFE (06:13:20.695 AEST Sun Apr 28 2013)
our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
root delay 9.35 msec, root disp 2.61, reach 377, sync dist 9.064
delay 2.58 msec, offset -1.1192 msec, dispersion 0.49
precision 2**18, version 3
org time D526B0FB.D9EFA0D0 (06:18:03.851 AEST Sun Apr 28 2013)
rcv time D526B0FB.DA8DADFF (06:18:03.853 AEST Sun Apr 28 2013)
xmt time D526B0FB.D9D8BFCD (06:18:04.849 AEST Sun Apr 28 2013)
filtdelay =     1.53    2.58    2.81    3.28    1.80    2.61    4.44    3.22
filtoffset =   -1.54   -1.12   -0.98   -2.42   -1.36   -1.44   -1.76   -1.97
filterror =     0.02    0.03    0.05    0.06    0.08    0.09    0.11    0.12

CAT4(config)#ntp source vlan20
CAT4(config)#ntp authenticate
CAT4(config)#ntp authentication-key 1 md5 mrn-cciew
CAT4(config)#ntp trusted-key 1
CAT4(config)#ntp server 10.10.10.3 key 1

CAT4(config)#do sh ntp ass de
10.10.10.3 configured, authenticated, our_master, sane, valid, stratum 3
ref ID 10.10.205.20, time D526AFE0.B227FFFE (06:13:20.695 AEST Sun Apr 28 2013)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 9.35 msec, root disp 2.61, reach 1, sync dist 15883.652
delay 2.72 msec, offset -2.0256 msec, dispersion 15875.02
precision 2**18, version 3
org time D526B1D5.AA79C247 (06:21:41.665 AEST Sun Apr 28 2013)
rcv time D526B1D5.AB57C32A (06:21:41.669 AEST Sun Apr 28 2013)
xmt time D526B1D5.AA99B108 (06:21:41.666 AEST Sun Apr 28 2013)
filtdelay =     2.72    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =   -2.03    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =     0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

From the CCIE wireless LAB perspective there are WLC & Autonomous AP where you want to sync the time. For a WLC you can configure this via GUI or CLI. Here is the CLI method. In my network I have WLC3 (2106) connected to CAT4 (not shown in the diagram above)

(WLC3) >config time ntp              
auth           Configures the NTP authentication
interval       Configures the Network Time Protocol Polling Interval.
key-auth       Configures the NTP authentication key.
server         Configures the Network Time Protocol Server
(WLC3) >config time ntp key-auth ?             
add            Choose add to Enter a NTP authentication key.
delete         Choose del to delete the NTP authentication key.           
(WLC3) >config time ntp key-auth add ?             
<key_index>    Enter Key index between 1 . . 4294967295, Any Value more than this will be ceiled to 4294967295.             
(WLC3) >config time ntp key-auth add 1 ?   
md5            Only MD5 supported.             
(WLC3) >config time ntp key-auth add 1 md5 ?               
ascii          Key format choose ascii type.              
hex            Key format choose hex type.         
(WLC3) >config time ntp key-auth add 1 md5 ascii ?            
<key>          Enter key, Maximum of 16 characters.           
(WLC3) >config time ntp key-auth add 1 md5 ascii mrn-cciew

(WLC3) >config time ntp auth ?            
disable        Choose Enable or Disable option
enable         Choose Enable or Disable option              
(WLC3) >config time ntp auth enable ?
<server-index> Enter NTP server index.       
(WLC3) >config time ntp auth enable 1 
<key-index>    Enter Key index between 1 . . 4294967295, Any Value more than this will be ceiled to 4294967295.       
(WLC3) >config time ntp auth enable 1 1
Authentication Enabled

(WLC3) >config time ntp server 1 10.10.10.3 

(WLC3) >config time ntp interval ?               
<interval>     Enter NTP polling interval, between 3600 and 604800 (in seconds).               
(WLC3) >config time ntp interval 3600

Remember to add WLC management IP to NTP ACL you created on CAT2. You can verify by looking at the ACL hit count incrementing.

CAT2(config)#access-list 10 permit 10.10.120.140
CAT2#sh access-lists 10
Standard IP access list 10
    10 permit 10.10.10.2 (14 matches)
    30 permit 10.10.10.4 (17 matches)
    20 permit 10.10.20.1 (25 matches)
    40 permit 10.10.120.140 (1 match)

Here are the WLC GUI looks like once you configured this.

NTP-02

For the Autonomous AP you have to configure this as “sntp server <ntp-server IP>” command. Here is the NTP config on AAP1 (10.10.110.100). I do not think it will support for Authentication & I have sync it with CME instead of CAT2

AAP1(config)#sntp ?
  broadcast         Configure SNTP broadcast services
  logging           Enable SNTP message logging
  server            Configure SNTP server
  source-interface  Configure interface for source address

AAP1(config)#sntp server 10.10.205.20
AAP1(config)#sntp source-interface BVI1

AAP1(config)#do sh sntp  
SNTP server     Stratum   Version    Last Receive 
10.10.205.20       2         1        00:00:20     Synced 
Source interface BVI1 is configured.

Before we finish there is one more setting associate with time known as time-zone. This setting is local to the device which you configure. For Routers, Switches or Autonomous AP command will be “clock timezone <name> < delta> ” . See below example which I have configured my devices to AEST (Aus Eeastern Standard Time) with +10 hr to UTC.

AAP1(config)#clock timezone AEST 10
!
CAT2(config)#clock timezone AEST 10

In WLC, you have to use “config time timezone {location|delta}” command in CLI. If you set the correct location it will automatically adjusted the delta. In my case location number would be 28 (which is AU- MEL, GMT+10)

(WLC3) >config time timezone location ?

<location_index> Enter the timezone location index. 
                  1. (GMT-12:00) International Date Line West
                  2. (GMT-11:00) Samoa
                  3. (GMT-10:00) Hawaii
                  4. (GMT -9:00) Alaska
                  5. (GMT -8:00) Pacific Time (US and Canada)
                  6. (GMT -7:00) Mountain Time (US and Canada)
                  7. (GMT -6:00) Central Time (US and Canada)
                  8. (GMT -5:00) Eastern Time (US and Canada)
                  9. (GMT -4:00) Altantic Time (Canada)
                 10. (GMT -3:00) Buenos Aires (Agentina)
                 11. (GMT -2:00) Mid-Atlantic 
                 12. (GMT -1:00) Azores 
                 13. (GMT) London, Lisbon, Dublin, Edinburgh 
                 14. (GMT +1:00) Amsterdam, Berlin, Rome, Vienna 
                 15. (GMT +2:00) Jerusalem 
                 16. (GMT +3:00) Baghdad 
                 17. (GMT +4:00) Muscat, Abu Dhabi 
                 18. (GMT +4:30) Kabul 
                 19. (GMT +5:00) Karachi, Islamabad, Tashkent 
                 20. (GMT +5:30) Colombo, Kolkata, Mumbai, New Delhi 
                 21. (GMT +5:45) Katmandu 
                 22. (GMT +6:00) Almaty, Novosibirsk 
                 23. (GMT +6:30) Rangoon 
                 24. (GMT +7:00) Saigon, Hanoi, Bangkok, Jakatar 
                 25. (GMT +8:00) HongKong, Bejing, Chongquing 
                 26. (GMT +9:00) Tokyo, Osaka, Sapporo 
                 27. (GMT +9:30) Darwin 
                 28. (GMT+10:00) Sydney, Melbourne, Canberra 
                 29. (GMT+11:00) Magadan, Solomon Is., New Caledonia 
                 30. (GMT+12:00) Kamchatka, Marshall Is., Fiji 
                 31. (GMT+12:00) Auckland (New Zealand)

That’s all what you need for NTP configuration & it is really important to all of your devices in the CCIE lab synch properly. This is one of the configuration you have to do early in the lab exam.