This blog provides information about the following topics:
Most networks today are being designed with high performance and reliability in mind. Delivery of content is, in many cases, guaranteed by service level agreements (SLAs). Having your network display an accurate time is vital to ensuring that you have the best information possible when reading logging messages or troubleshooting issues.
NTP Configuration
Edmonton(config)# ntp server 209.165.200.254 | Configures the Edmonton router to synchronize its clock to a public NTP server at address 209.165.200.254 This command makes the Edmonton router an NTP client to the external NTP server A Cisco IOS router can be both a client to an external NTP server and an NTP server to client devices inside its own internal network When NTP is enabled on a Cisco IOS router, it is enabled on all interfaces |
Edmonton(config)# ntp server 209.165.200.234 prefer | Specifies a preferred NTP server if multiple ones are configured It is recommended to configure more than one NTP server |
Edmonton(config-if)# ntp disable | Disables the NTP server function on a specific interface. The interface will still act as an NTP client Use this command on interfaces connected to external networks |
Edmonton(config)# ntp master stratum | Configures the router to be an NTP master clock to which peers synchronize when no external NTP source is available. The stratum is an optional number between 1 and 15. When enabled, the default stratum is 8 A reference clock (for example, an atomic clock) is said to be a stratum-0 device. A stratum-1 server is directly connected to a stratum-0 device. A stratum-2 server is connected across a network path to a stratum-1 server. The larger the stratum number (moving toward 15), the less authoritative that server is and the less accuracy it will have |
Edmonton(config)# ntp max-associations 200 | Configures the maximum number of NTP peer-and-client associations that the router will serve. The range is 0 to 4,294,967,295. The default is 100 |
Edmonton(config)# access list 101 permit udp any host a.b.c.d eq ntp | Creates an access list statement that will allow NTP communication for the NTP server at address a.b.c.d. This ACL should be placed in an inbound direction |
When a local device is configured with the ntp master command, it can be identified by a syntactically correct but invalid IP address. This address will be in the form of 127.127.x.x. The master will synchronize with itself and uses the 127.127.x.x address to identify itself. This address will be displayed with the show ntp associations command and must be permitted via an access list if you are authenticating your NTP servers.
NTP Design
You have two different options in NTP design: flat and hierarchical. In a flat design, all routers are peers to each other. Each router is both a client and a server with every other router. In a hierarchical model, there is a preferred order of routers that are servers and others that act as clients. You use the ntp peer command to determine the hierarchy.
Do not use the flat model in a large network, because with many NTP servers it can take a long time to synchronize the time.
Edmonton(config)# ntp peer 172.16.21.1 | Configures an IOS device to synchronize its software clock to a peer at 172.16.21.1 |
Edmonton(config)# ntp peer 172.16.21.1 version 2 | Configures an IOS device to synchronize its software clock to a peer at 172.16.21.1 using version 2 of NTP. There are three versions of NTP (versions 2–4) |
Although Cisco IOS recognizes three versions of NTP, versions 3 and 4 are most commonly used. Version 4 introduces support for IPv6 and is backward compatible with version 3. NTPv4 also adds DNS support for IPv6.
NTPv4 has increased security support using public key cryptography and X.509 certificates.
NTPv3 uses broadcast messages. NTPv4 uses multicast messages.
Edmonton(config)# ntp peer 172.16.21.1 source loopback 0 | Configures an IOS device to synchronize its software clock to a peer at 172.16.21.1. The source IP address is the address of interface Loopback 0 Choose a loopback interface as your source for NTP because it will never go down. ACL statements will also be easier to write as you will require only one line to allow or deny traffic |
Edmonton(config)# ntp peer 172.16.21.1 source loopback 0 prefer | Makes this peer the preferred peer that provides synchronization |
Securing NTP
You can secure NTP operation using authentication and access lists.
Securing NTP is not part of the CCNA (200-301) exam topics.
Enabling NTP Authentication
NTPServer(config)# ntp authentication-key 1 md5 NTPpa55word | Defines an NTP authentication key 1 = number of authentication key. Can be a number between 1 and 4,294,967,295 md5 = using MD5 hash. This is the only option available on Cisco devices NTPpa55word = password associated with this key |
NTPServer(config)# ntp authenticate | Enables NTP authentication |
NTPServer(config)# ntp trusted-key 1 | Defines which keys are valid for NTP authentication. The key number here must match the key number you defined in the ntp authentication-key command |
NTPClient(config)# ntp authentication-key 1 md5 NTPpa55word | Defines an NTP authentication key |
NTPClient(config)# ntp authenticate | Enables NTP authentication |
NTPClient(config)# ntp trusted-key 1 | Defines which keys are valid for NTP authentication. The key number here must match the key number you defined in the ntp authentication-key command |
NTPClient(config)# ntp server 192.168.200.1 key 1 | Defines the NTP server that requires authentication at address 192.168.200.1 and identifies the peer key number as key 1 |
NTP does not authenticate clients; it only authenticates the source. That means that a device will respond to unauthenticated requests. Therefore, access lists should be used to limit NTP access.
Once a device is synchronized to an NTP source, it will become an NTP server to any device that requests synchronization.
Limiting NTP Access with Access Lists
Edmonton(config)# access-list 1 permit 10.1.0.0 0.0.255.255 | Defines an access list that permits only packets with a source address of 10.1.x.x |
Edmonton(config)# ntp access-group peer 1 | Creates an access group to control NTP access and applies access list 1. The peer keyword enables the device to receive time requests and NTP control queries and to synchronize itself to servers specified in the access list |
Edmonton(config)# ntp access-group serve 1 | Creates an access group to control NTP access and applies access list 1. The serve keyword enables the device to receive time requests and NTP control queries from the servers specified in the access list but not to synchronize itself to the specified servers |
Edmonton(config)# ntp access-group serve-only 1 | Creates an access group to control NTP access and applies access list 1. The serve-only keyword enables the device to receive only time requests from servers specified in the access list |
Edmonton(config)# ntp access-group query-only 1 | Creates an access group to control NTP access and applies access list 1. The query-only keyword enables the device to receive only NTP control queries from the servers specified in the access list |
NTP access group options are scanned from least restrictive to most restrictive in the following order: peer, serve, serve-only, query-only. However, if NTP matches a deny ACL rule in a configured peer, ACL processing stops and does not continue to the next access group option.
Verifying and Troubleshooting NTP
Edmonton# show ntp associations | Displays the status of NTP associations |
Edmonton# show ntp associations detail | Displays detailed information about each NTP association |
Edmonton# show ntp status | Displays the status of the NTP. This command shows whether the router’s clock has synchronized with the external NTP server |
Edmonton# debug ip packets | Checks to see whether NTP packets are received and sent |
Edmonton# debug ip packet 1 | Limits debug output to ACL 1 |
Edmonton# debug ntp adjust | Displays debug output for NTP clock adjustments |
Edmonton# debug ntp all | Displays all NTP debugging output |
Edmonton# debug ntp events | Displays all NTP debugging events |
Edmonton# debug ntp packet | Displays NTP packet debugging; lets you see the time that the peer/server gives you in a received packet |
Edmonton# debug ntp packet detail | Displays detailed NTP packet dump |
Edmonton# debug ntp packet peer a.b.c.d | Displays debugging from NTP peer at address a.b.c.d |
Setting the Clock on a Router
It is important to have your routers display the correct time for use with time stamps and other logging features.
If the system is synchronized by a valid outside timing mechanism, such as an NTP server, or if you have a router with a hardware clock, you do not need to set the software clock. Use the software clock if no other time sources are available.
Edmonton# calendar set 16:30:00 23 June 2019 | Manually sets the system hardware clock. Time is set using military (24-hour) format. The hardware clock runs continuously, even if the router is powered off or rebooted |
Edmonton# show calendar | Displays the hardware calendar |
Edmonton(config)# clock calendar-valid | Configures the system as an authoritative time source for a network based on its hardware clock Because the hardware clock is not as accurate as other time sources (it runs off of a battery), you should use this only when a more accurate time source (such as NTP) is not available |
Edmonton# clock read-calendar | Manually reads the hardware clock settings into the software clock |
Edmonton# clock set 16:30:00 23 June 2019 | Manually sets the system software clock. Time is set using military (24-hour) format |
| Configures the system to automatically switch to summer time (daylight saving time) Summer time is disabled by default Arguments for the command are as follows: zone: Name of the time zone recurring: Summer time should start and end on the corresponding specified days every year date: Indicates that summer time should start on the first specific date listed in the command and end on the second specific date in the command week: (Optional) Week of the month (1 to 5 or last) day: (Optional) Day of the week (Sunday, Monday, and so on) date: Date of the month (1 to 31) month: (Optional) Month (January, February, and so on) year: Year (1993 to 2035) hh:mm: (Optional) Time (military format) in hours and minutes offset: (Optional) Number of minutes to add during summer time (default is 60) |
Edmonton(config)# clock timezone zone hours-offset [minutes-offset] | Configures the time zone for display purposes. To set the time to Coordinated Universal Time (UTC), use the no form of this command zone: Name of the time zone to be displayed when standard time is in effect. See Tables 19-1 and 19-2 for common time zone acronyms hours-offset: Hours difference from UTC minutes-offset: (Optional) Minutes difference from UTC |
Edmonton(config)# clock timezone PST -8 | Configures the time zone to Pacific Standard Time, which is 8 hours behind UTC |
Edmonton(config)# clock timezone NL -3 30 | Configures the time zone to Newfoundland Time for Newfoundland, Canada, which is 3.5 hours behind UTC |
Edmonton# clock update-calendar | Updates the hardware clock from the software clock |
Edmonton# show clock | Displays the time and date from the system software clock |
Edmonton# show clock detail | Displays the clock source (NTP, hardware) and the current summer-time setting (if any) |
Table 19-1 shows the common acronyms used for setting the time zone on a router.
Table 19-1 Common Time Zone Acronyms
Region/Acronym | Time Zone Name and UTC Offset |
Europe | |
GMT | Greenwich Mean Time, as UTC |
BST | British Summer Time, as UTC +1 hour |
IST | Irish Summer Time, as UTC +1 hour |
WET | Western Europe Time, as UTC |
WEST | Western Europe Summer Time, as UTC +1 hour |
CET | Central Europe Time, as UTC +1 |
CEST | Central Europe Summer Time, as UTC +2 |
EET | Eastern Europe Time, as UTC +2 |
EEST | Eastern Europe Summer Time, as UTC +3 |
MSK | Moscow Time, as UTC +3 |
MSD | Moscow Summer Time, as UTC +4 |
United States and Canada | |
AST | Atlantic Standard Time, as UTC –4 hours |
ADT | Atlantic Daylight Time, as UTC –3 hours |
ET | Eastern Time, either as EST or EDT, depending on place and time of year |
EST | Eastern Standard Time, as UTC –5 hours |
EDT | Eastern Daylight Time, as UTC –4 hours |
CT | Central Time, either as CST or CDT, depending on place and time of year |
CST | Central Standard Time, as UTC –6 hours |
CDT | Central Daylight Time, as UTC –5 hours |
MT | Mountain Time, either as MST or MDT, depending on place and time of year |
MST | Mountain Standard Time, as UTC –7 hours |
MDT | Mountain Daylight Time, as UTC –6 hours |
PT | Pacific Time, either as PST or PDT, depending on place and time of year |
PST | Pacific Standard Time, as UTC –8 hours |
PDT | Pacific Daylight Time, as UTC –7 hours |
AKST | Alaska Standard Time, as UTC –9 hours |
AKDT | Alaska Standard Daylight Time, as UTC –8 hours |
HST | Hawaiian Standard Time, as UTC –10 hours |
Australia | |
WST | Western Standard Time, as UTC +8 hours |
CST | Central Standard Time, as UTC +9.5 hours |
EST | Eastern Standard/Summer Time, as UTC +10 hours (+11 hours during summer time) |
Table 19-2 lists an alternative method for referring to time zones, in which single letters are used to refer to the time zone difference from UTC. Using this method, the letter Z is used to indicate the zero meridian, equivalent to UTC, and the letter J (Juliet) is used to refer to the local time zone. Using this method, the international date line is between time zones M and Y.
Table 19-2 Single-Letter Time Zone Designators
Letter Designator | Word Designator | Difference from UTC |
Y | Yankee | UTC –12 hours |
X | X-ray | UTC –11 hours |
W | Whiskey | UTC –10 hours |
V | Victor | UTC –9 hours |
U | Uniform | UTC –8 hours |
T | Tango | UTC –7 hours |
S | Sierra | UTC –6 hours |
R | Romeo | UTC –5 hours |
Q | Quebec | UTC –4 hours |
P | Papa | UTC –3 hours |
O | Oscar | UTC –2 hours |
N | November | UTC –1 hour |
Z | Zulu | Same as UTC |
A | Alpha | UTC +1 hour |
B | Bravo | UTC +2 hours |
C | Charlie | UTC +3 hours |
D | Delta | UTC +4 hours |
E | Echo | UTC +5 hours |
F | Foxtrot | UTC +6 hours |
G | Golf | UTC +7 hours |
H | Hotel | UTC +8 hours |
I | India | UTC +9 hours |
K | Kilo | UTC +10 hours |
L | Lima | UTC +11 hours |
M | Mike | UTC +12 hours |
Using Time Stamps
Edmonton(config)# service timestamps | Adds a time stamp to all system logging messages |
Edmonton(config)# service timestamps debug | Adds a time stamp to all debugging messages |
Edmonton(config)# service timestamps debug uptime | Adds a time stamp along with the total uptime of the router to all debugging messages |
Edmonton(config)# service timestamps debug datetime localtime | Adds a time stamp displaying the local time and the date to all debugging messages |
Edmonton(config)# no service timestamps | Disables all time stamps |
Configuration Example: NTP
Figure 19-1 shows the network topology for the configuration that follows, which demonstrates how to configure NTP using the commands covered in this post.
Core1 Router
Core1(config)# ntp server 209.165.201.44 | Configures router to synchronize its clock to a public NTP server at address 209.165.201.44 |
Core1(config)# ntp server 209.165.201.111 | Configures router to synchronize its clock to a public NTP server at address 209.165.201.111 |
Core1(config)# ntp server 209.165.201.133 | Configures router to synchronize its clock to a public NTP server at address 209.165.201.133 |
Core1(config)# ntp server 209.165.201.222 | Configures router to synchronize its clock to a public NTP server at address 209.165.201.222 |
Core1(config)# ntp server 209.165.201.233 prefer | Configures router to synchronize its clock to a public NTP server at address 209.165.201.233. This is the preferred NTP server |
Core1(config)# ntp max-associations 200 | Configures the maximum number of NTP peer-and-client associations that the router will serve |
Core1(config)# clock timezone EDT -5 | Sets time zone to eastern daylight time |
Core1(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 | Configures the system to automatically switch to summer time and to repeat on the same day |
Core1(config)# ntp master 10 | Configures the router to serve as a master clock if the external NTP server is not available |
Core1(config)# access-list 1 permit 127.127.1.1 | Sets access list to permit packets coming from 127.127.1.1 |
Core1(config)# access-list 2 permit 192.168.0.0 0.0.255.255 | Sets access list to permit packets coming from 192.168.x.x |
Core1(config)# ntp access-group peer 1 | Configures Core1 to peer with any devices identified in access list 1 |
Core1(config)# ntp access-group serve-only 2 | Configures Core1 to receive only time requests from devices specified in the access list |
Core2 Router
Core2(config)# ntp server 209.165.201.44 | Configures router to synchronize its clock to a public NTP server at address 209.165.201.44 |
Core2(config)# ntp server 209.165.201.111 | Configures router to synchronize its clock to a public NTP server at address 209.165.201.111 |
Core2(config)# ntp server 209.165.201.133 | Configures router to synchronize its clock to a public NTP server at address 209.165.201.133 |
Core2(config)# ntp server 209.165.201.222 | Configures router to synchronize its clock to a public NTP server at address 209.165.201.222 |
Core2(config)# ntp server 209.165.201.233 prefer | Configures router to synchronize its clock to a public NTP server at address 209.165.201.233. This is the preferred NTP server |
Core2(config)# ntp max-associations 200 | Configures the maximum number of NTP peer-and-client associations that the router will serve |
Core2(config)# clock timezone EDT -5 | Sets time zone to eastern daylight time |
Core2(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 | Configures the system to automatically switch to summer time and to repeat on the same day |
Core2(config)# ntp master 10 | Configures the router to serve as a master clock if the external NTP server is not available |
Core2(config)# access-list 1 permit 127.127.1.1 | Sets access list to permit packets coming from 127.127.1.1 |
Core2(config)# access-list 2 permit 192.168.0.0 0.0.255.255 | Sets access list to permit packets coming from 192.168.x.x |
Core2(config)# ntp access-group peer 1 | Configures Core2 to peer with any devices identified in access list 1 |
Core2(config)# ntp access-group serve-only 2 | Configures Core2 to receive only time requests from devices specified in the access list |
DLSwitch1
DLSwitch1(config)# ntp server 192.168.223.1 | Configures DLSwitch1 to synchronize its clock to an NTP server at address 192.168.223.1 |
DLSwitch1(config)# ntp server 192.168.224.1 | Configures DLSwitch1 to synchronize its clock to an NTP server at address 192.168.224.1 |
DLSwitch1(config)# clock timezone EDT -5 | Sets time zone to eastern daylight time |
DLSwitch1(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 | Configures the system to automatically switch to summer time and to repeat on the same day |
DLSwitch2
DLSwitch2(config)# ntp server 192.168.223.1 | Configures DLSwitch2 to synchronize its clock to an NTP server at address 192.168.223.1 |
DLSwitch2(config)# ntp server 192.168.224.1 | Configures DLSwitch2 to synchronize its clock to an NTP server at address 192.168.224.1 |
DLSwitch2(config)# clock timezone EDT -5 | Sets time zone to eastern daylight time |
DLSwitch2(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 | Configures the system to automatically switch to summer time and to repeat on the same day |
ALSwitch1
ALSwitch1(config)# ntp server 192.168.223.1 | Configures ALSwitch1 to synchronize its clock to an NTP server at address 192.168.223.1 |
ALSwitch1(config)# ntp server 192.168.224.1 | Configures ALSwitch1 to synchronize its clock to an NTP server at address 192.168.224.1 |
ALSwitch1(config)# clock timezone EDT -5 | Sets time zone to eastern daylight time |
ALSwitch1(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 | Configures the system to automatically switch to summer time and to repeat on the same day |
ALSwitch2
ALSwitch2(config)# ntp server 192.168.223.1 | Configures ALSwitch2 to synchronize its clock to an NTP server at address 192.168.223.1 |
ALSwitch2(config)# ntp server 192.168.224.1 | Configures ALSwitch2 to synchronize its clock to an NTP server at address 192.168.224.1 |
ALSwitch2(config)# clock timezone EDT -5 | Sets time zone to eastern daylight time |
ALSwitch2(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 | Configures the system to automatically switch to summer time and to repeat on the same day |