diff --git a/Work/Cisco/Nexus_NTP.md b/Work/Cisco/Nexus_NTP.md new file mode 100644 index 0000000..0d14bc7 --- /dev/null +++ b/Work/Cisco/Nexus_NTP.md @@ -0,0 +1,518 @@ +--- +title: NTP Deep dive on the Nexus +description: Config and troubleshoot +published: true +date: 2026-03-31T20:45:58.287Z +tags: +editor: markdown +dateCreated: 2026-03-31T20:45:58.287Z +--- + +# Cisco Nexus 93180 NTP Configuration and Troubleshooting Guide + +## Overview + +This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Nexus 93180 switch running NX-OS. Accurate time synchronization is critical for logging, AAA, certificates, and distributed system correlation. + +--- + +## NTP Configuration + +### Basic NTP Server Configuration + + configure terminal + + ! Enable NTP feature (if not already enabled) + feature ntp + + ! Configure NTP servers (use multiple servers for redundancy) + ntp server 10.1.1.10 prefer use-vrf management + ntp server 10.1.1.11 use-vrf management + ntp server 192.0.2.1 use-vrf default + + ! Configure NTP source interface (optional but recommended) + ntp source-interface mgmt0 + + ! Set timezone (adjust to your location) + clock timezone EST -5 0 + + ! Configure daylight saving time (if applicable) + clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60 + + ! Save configuration + copy running-config startup-config + +### NTP Authentication (Recommended for Production) + + configure terminal + + ! Enable NTP authentication + ntp authenticate + + ! Create authentication keys + ntp authentication-key 1 md5 YourSecureKey123 7 + ntp authentication-key 2 md5 AnotherSecureKey456 7 + + ! Specify trusted keys + ntp trusted-key 1 + ntp trusted-key 2 + + ! Apply authentication to NTP servers + ntp server 10.1.1.10 prefer use-vrf management key 1 + ntp server 10.1.1.11 use-vrf management key 2 + + copy running-config startup-config + +### NTP Access Control (Security Best Practice) + + configure terminal + + ! Define access control for NTP + ! peer: Allow sync and queries + ! serve: Respond to queries only + ! serve-only: Respond to queries but don't sync + ! query-only: Allow queries only + + ntp access-group peer PeerACL + ntp access-group serve ServeACL + ntp access-group query-only QueryACL + + ! Create ACLs + ip access-list NTP-Peers + 10 permit ip 10.1.1.0/24 any + 20 deny ip any any + + ip access-list NTP-Serve + 10 permit ip 10.0.0.0/8 any + 20 deny ip any any + + copy running-config startup-config + +### NTP Master Configuration (Switch as Time Source) + + configure terminal + + ! Configure switch as NTP master (stratum level) + ! Only use if external NTP servers are unavailable + ntp master 8 + + ! This makes the switch authoritative at stratum 8 + ! Lower stratum = higher priority (1 is highest) + + copy running-config startup-config + +### Logging NTP Events + + configure terminal + + ! Enable logging for NTP + ntp logging + + ! Adjust logging level if needed + logging level ntp 6 + + copy running-config startup-config + +--- + +## Verification Commands + +### Check NTP Status + + ! Show NTP status summary + show ntp status + + ! Expected output when synchronized: + ! Clock is synchronized, stratum 3, reference is 10.1.1.10 + ! nominal freq is 250.0000 Hz, actual freq is 250.0010 Hz, precision is 2**18 + ! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024) + ! clock offset is -0.0023 msec, root delay is 12.34 msec + ! root dispersion is 45.67 msec, peer dispersion is 1.23 msec + +### Check NTP Peers + + ! Show all NTP peers and their status + show ntp peers + + ! Column descriptions: + ! * = synchronized, + = candidate, # = selected + ! remote: NTP server address + ! ref clock: reference source of the server + ! st: stratum level + ! when: last packet received (seconds) + ! poll: polling interval + ! reach: reachability (377 = all 8 attempts successful) + ! delay: round-trip delay (ms) + ! offset: time difference (ms) + ! jitter: dispersion (ms) + +### Check NTP Statistics + + ! Show detailed peer statistics + show ntp peer-status + + ! Show specific peer details + show ntp peer 10.1.1.10 + +### Check NTP Authentication + + ! Verify authentication keys + show ntp authentication-keys + + ! Check authentication status + show ntp authentication-status + +### Check Time Configuration + + ! Display current clock settings + show clock detail + + ! Show timezone configuration + show running-config | include clock + +--- + +## Common Configuration Examples + +### Example 1: Enterprise Configuration with Multiple Servers + + configure terminal + + feature ntp + + ! Use company NTP servers in management VRF + ntp server 10.10.1.10 prefer use-vrf management + ntp server 10.10.1.11 use-vrf management + ntp server 10.10.1.12 use-vrf management + + ! Use public NTP as backup in default VRF + ntp server 129.6.15.28 use-vrf default + ntp server 132.163.96.1 use-vrf default + + ntp source-interface mgmt0 + + clock timezone EST -5 0 + clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60 + + ntp logging + + copy running-config startup-config + +### Example 2: Secure Configuration with Authentication + + configure terminal + + feature ntp + + ntp authenticate + ntp authentication-key 10 md5 Pr0d_NTP_K3y_2024 7 + ntp trusted-key 10 + + ntp server 10.10.1.10 prefer use-vrf management key 10 + ntp server 10.10.1.11 use-vrf management key 10 + + ntp access-group peer NTP-PEERS + + ip access-list NTP-PEERS + 10 permit ip 10.10.1.0/24 any + 20 deny ip any any log + + ntp source-interface mgmt0 + ntp logging + + clock timezone EST -5 0 + clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60 + + copy running-config startup-config + +--- + +## Troubleshooting Guide + +### Issue: NTP Not Synchronizing + +**Symptoms:** +- `show ntp status` shows "Clock is unsynchronized" +- No asterisk (*) appears in `show ntp peers` + +**Troubleshooting Steps:** + +1. **Verify NTP feature is enabled:** + + show feature | include ntp + ! If disabled: + configure terminal + feature ntp + +2. **Check network connectivity to NTP servers:** + + ping 10.1.1.10 vrf management + traceroute 10.1.1.10 vrf management + +3. **Verify NTP packets are being exchanged:** + + show ntp peer-status + ! Check 'reach' column - should be 377 (binary 11111111) + ! Check 'when' column - should be recent (< poll interval) + +4. **Check for authentication mismatches:** + + show ntp authentication-status + ! Verify keys match between switch and server + +5. **Verify correct VRF is configured:** + + show running-config | include "ntp server" + ! Ensure use-vrf matches your management connectivity + +6. **Check firewall/ACL blocking UDP port 123:** + + ! NTP uses UDP port 123 + show ip access-lists + +7. **Verify time offset isn't too large:** + + ! If offset > 1000 seconds, NTP may refuse to sync + ! Manually set clock closer to correct time: + clock set 14:30:00 15 January 2024 + +### Issue: High Offset or Jitter + +**Symptoms:** +- Time drifts significantly +- High offset values in `show ntp peers` + +**Troubleshooting Steps:** + +1. **Check network latency:** + + ping 10.1.1.10 vrf management repeat 100 + ! Look for packet loss and high/variable latency + +2. **Verify stratum levels:** + ```cisco + show ntp peers + ! Stratum should be < 10 for reliable servers + ! Lower stratum = more accurate + ``` + +3. **Increase number of NTP servers:** + ```cisco + ! Use at least 3 servers for best accuracy + ! NTP uses voting algorithm with multiple sources + ``` + +4. **Check for upstream NTP issues:** + ```cisco + show ntp peer-status + ! Verify your NTP servers are synchronized + ``` + +### Issue: Authentication Failures + +**Symptoms:** +- Peers show as unreachable despite network connectivity +- Authentication errors in logs + +**Troubleshooting Steps:** + +1. **Verify authentication is configured on both ends:** + ```cisco + show ntp authentication-status + ``` + +2. **Check key ID and values match:** + ```cisco + show ntp authentication-keys + ! Key number and MD5 hash must match server + ``` + +3. **Verify trusted keys are configured:** + ```cisco + show running-config | include "ntp trusted-key" + ``` + +4. **Temporarily disable authentication to test:** + ```cisco + configure terminal + no ntp authenticate + ! Test connectivity + ! Re-enable after testing: + ntp authenticate + ``` + +### Issue: NTP Working but Time Still Wrong + +**Symptoms:** +- `show ntp status` shows synchronized +- Clock shows incorrect time + +**Troubleshooting Steps:** + +1. **Verify timezone configuration:** + ```cisco + show running-config | include clock + ! Ensure timezone matches your location + ``` + +2. **Check daylight saving time settings:** + ```cisco + show clock detail + ! Verify DST is configured if applicable + ``` + +3. **Confirm NTP server time is correct:** + ```cisco + show ntp peers + ! Check offset - should be small (< 100ms typically) + ``` + +### Issue: Cannot Add NTP Server + +**Symptoms:** +- Configuration commands rejected +- "Invalid VRF" error + +**Troubleshooting Steps:** + +1. **Verify VRF exists:** + ```cisco + show vrf + ! Common VRFs: management, default + ``` + +2. **Check if management interface is configured:** + ```cisco + show running-config interface mgmt0 + ! Ensure IP address and VRF are configured + ``` + +3. **Verify source interface exists:** + ```cisco + show interface mgmt0 brief + ``` + +--- + +## Best Practices + +### Redundancy +- Configure at least **3 NTP servers** for optimal accuracy and redundancy +- Use diverse network paths to NTP servers when possible +- Consider using both internal and external NTP sources + +### Security +- **Always use NTP authentication** in production environments +- Implement access control lists to limit NTP queries +- Use `use-vrf management` to isolate NTP traffic +- Monitor NTP logs for unusual activity + +### Performance +- Use `prefer` keyword on the most reliable/accurate server +- Choose NTP servers with low stratum (2-4 is ideal) +- Select geographically close servers to minimize latency +- Avoid using stratum 1 servers directly (use stratum 2) + +### Maintenance +- Regularly verify NTP synchronization status +- Monitor offset and jitter values +- Update authentication keys periodically +- Document your NTP server hierarchy + +### Time Initialization +- When first configuring, manually set clock to within 1000 seconds of actual time +- NTP will refuse to sync if offset is too large initially +- Use `clock set` command before enabling NTP on new switches + +--- + +## Monitoring and Logging + +### Regular Health Checks + +```cisco +! Daily verification +show ntp status | include "Clock is" +show ntp peers | include "\*" + +! Weekly detailed check +show ntp peer-status +show clock detail +``` + +### Enable SNMP Monitoring + +```cisco +configure terminal + +! Enable SNMP for NTP monitoring +snmp-server enable traps ntp + +! Configure SNMP trap receiver +snmp-server host 10.1.1.100 traps version 2c YourCommunity + +copy running-config startup-config +``` + +### Syslog Monitoring + +```cisco +configure terminal + +! Ensure NTP logging is enabled +ntp logging + +! Configure syslog server +logging server 10.1.1.50 6 use-vrf management + +! Set appropriate logging level +logging level ntp 6 + +copy running-config startup-config +``` + +--- + +## Quick Reference Commands + +| Command | Purpose | +|---------|---------| +| `show ntp status` | Display synchronization status | +| `show ntp peers` | List all NTP peers and sync status | +| `show ntp peer-status` | Detailed peer statistics | +| `show clock detail` | Current time and configuration | +| `show feature \| include ntp` | Verify NTP feature enabled | +| `show running-config \| include ntp` | Display NTP configuration | +| `show ntp authentication-keys` | List configured auth keys | +| `clear ntp statistics` | Reset NTP statistics | + +--- + +## Appendix: Public NTP Servers + +### NIST (US Government) +- `129.6.15.28` - NIST, Gaithersburg, Maryland +- `132.163.96.1` - NIST, Boulder, Colorado + +### US Naval Observatory +- `192.5.41.40` - tick.usno.navy.mil +- `192.5.41.41` - tock.usno.navy.mil + +### NTP Pool Project +- `0.pool.ntp.org` +- `1.pool.ntp.org` +- `2.pool.ntp.org` +- `3.pool.ntp.org` + +**Note:** For production use, deploy internal NTP servers synchronized to external sources rather than having all infrastructure devices query public servers directly. + +--- + +## Document Information + +**Target Platform:** Cisco Nexus 93180 +**NX-OS Versions:** 7.x, 9.x, 10.x +**Last Updated:** March 2026 +**Document Purpose:** Configuration reference and troubleshooting guide + +For Cisco NX-OS command reference, consult the official Cisco documentation for your specific software version. \ No newline at end of file