From ca5e34d790dfcc5bbd0a2d09f91ac938b7ffec44 Mon Sep 17 00:00:00 2001 From: Administrator Date: Tue, 31 Mar 2026 21:25:18 +0000 Subject: [PATCH] docs: create Work/Cisco/NTP_ESS9300 --- Work/Cisco/NTP_ESS9300.md | 899 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 899 insertions(+) create mode 100644 Work/Cisco/NTP_ESS9300.md diff --git a/Work/Cisco/NTP_ESS9300.md b/Work/Cisco/NTP_ESS9300.md new file mode 100644 index 0000000..bc91f29 --- /dev/null +++ b/Work/Cisco/NTP_ESS9300.md @@ -0,0 +1,899 @@ +--- +title: ESS9300 NTP +description: +published: true +date: 2026-03-31T21:25:08.700Z +tags: +editor: markdown +dateCreated: 2026-03-31T21:25:08.700Z +--- + +# Cisco ESS 9300 (IE-9300) NTP Configuration and Troubleshooting Guide + +## Overview + +This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Catalyst ESS 9300 (IE-9300) industrial Ethernet switch running IOS-XE. Accurate time synchronization is critical for logging, AAA, certificates, syslog correlation, and distributed system troubleshooting. + +--- + +## NTP Configuration + +### Basic NTP Server Configuration + +```cisco +configure terminal + +! Configure NTP servers (use multiple servers for redundancy) +ntp server 10.1.1.10 prefer +ntp server 10.1.1.11 +ntp server 192.0.2.1 + +! Configure NTP source interface (optional but recommended) +ntp source GigabitEthernet1/1 + +! Alternatively, use management interface if configured +! ntp source GigabitEthernet0/0 + +! Set timezone (adjust to your location) +clock timezone EST -5 0 + +! Configure daylight saving time (if applicable) +clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 + +! Save configuration +end +write memory +``` + +### NTP Authentication (Recommended for Production) + +```cisco +configure terminal + +! Enable NTP authentication +ntp authenticate + +! Create authentication keys (key ID 1-65535) +ntp authentication-key 1 md5 YourSecureKey123 +ntp authentication-key 2 md5 AnotherSecureKey456 + +! Specify trusted keys +ntp trusted-key 1 +ntp trusted-key 2 + +! Apply authentication to NTP servers +ntp server 10.1.1.10 prefer key 1 +ntp server 10.1.1.11 key 2 + +end +write memory +``` + +### NTP Access Control (Security Best Practice) + +```cisco +configure terminal + +! Define access control for NTP +! peer: Allow time sync from these sources +! serve: Respond to time requests from these sources +! serve-only: Respond to requests but don't sync from them +! query-only: Allow status queries only + +ntp access-group peer 10 +ntp access-group serve 20 +ntp access-group query-only 30 + +! Create access lists +access-list 10 remark NTP Peers - Allow sync +access-list 10 permit 10.1.1.0 0.0.0.255 + +access-list 20 remark NTP Serve - Respond to requests +access-list 20 permit 10.0.0.0 0.255.255.255 + +access-list 30 remark NTP Query - Status queries only +access-list 30 permit 192.168.0.0 0.0.255.255 + +end +write memory +``` + +### NTP Master Configuration (Switch as Time Source) + +```cisco +configure terminal + +! Configure switch as NTP master (stratum level) +! Only use if external NTP servers are unavailable +ntp master 8 + +! This makes the switch authoritative at stratum 8 +! Lower stratum = higher priority (1 is highest, typically atomic clocks) +! Use stratum 8-15 for internal masters + +end +write memory +``` + +### Advanced NTP Configuration + +```cisco +configure terminal + +! Update calendar from NTP (hardware clock sync) +ntp update-calendar + +! Disable NTP on specific interfaces (if needed) +interface GigabitEthernet1/10 + ntp disable + exit + +! Configure NTP broadcast (server mode) +interface GigabitEthernet1/1 + ntp broadcast + exit + +! Configure NTP broadcast client (client mode) +interface GigabitEthernet1/2 + ntp broadcast client + exit + +! Configure NTP logging +service timestamps log datetime msec localtime show-timezone +service timestamps debug datetime msec localtime show-timezone + +end +write memory +``` + +--- + +## Verification Commands + +### Check NTP Status + +```cisco +! Show NTP status summary +show ntp status + +! Expected output when synchronized: +! Clock is synchronized, stratum 3, reference is 10.1.1.10 +! nominal freq is 250.0000 Hz, actual freq is 250.0008 Hz, precision is 2**10 +! ntp uptime is 86400 (1/100 of seconds), resolution is 4016 +! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024) +! clock offset is -0.5234 msec, root delay is 12.34 msec +! root dispersion is 45.67 msec, peer dispersion is 1.23 msec +! loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000008234 s/s +! system poll interval is 64, last update was 25 sec ago +``` + +### Check NTP Associations + +```cisco +! Show all NTP associations (peers) +show ntp associations + +! Detailed view +show ntp associations detail + +! Column descriptions: +! * = synchronized, + = candidate, # = selected, - = outlier +! address: NTP server address +! ref clock: reference source of the server +! st: stratum level +! when: last packet received (seconds) +! poll: polling interval (seconds) +! reach: reachability (377 octal = all 8 attempts successful) +! delay: round-trip delay (ms) +! offset: time difference (ms) +! disp: dispersion/jitter (ms) +``` + +### Check Clock and Time + +```cisco +! Display current time +show clock + +! Display detailed clock information +show clock detail + +! Show calendar (hardware clock) +show calendar +``` + +### Check NTP Configuration + +```cisco +! Show all NTP configuration +show ntp config + +! Show running NTP configuration +show running-config | include ntp +show running-config | include clock +``` + +### Check NTP Authentication + +```cisco +! Show authentication keys (hashed) +show ntp authentication-keys + +! Show authentication status +show ntp status | include authentication +``` + +--- + +## Common Configuration Examples + +### Example 1: Industrial Network Configuration + +```cisco +configure terminal + +! Use site NTP servers +ntp server 10.100.1.10 prefer +ntp server 10.100.1.11 +ntp server 10.100.1.12 + +! Use primary uplink as source +ntp source GigabitEthernet1/1 + +! Central Standard Time +clock timezone CST -6 0 +clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 + +! Sync hardware clock +ntp update-calendar + +! Enable timestamps +service timestamps log datetime msec localtime show-timezone +service timestamps debug datetime msec localtime show-timezone + +end +write memory +``` + +### Example 2: Secure Configuration with Authentication + +```cisco +configure terminal + +! Enable NTP authentication +ntp authenticate +ntp authentication-key 10 md5 Ind_NTP_K3y_2024 +ntp trusted-key 10 + +! Configure authenticated servers +ntp server 10.100.1.10 prefer key 10 +ntp server 10.100.1.11 key 10 + +! Access control +ntp access-group peer 10 +ntp access-group query-only 30 + +access-list 10 remark NTP Peers +access-list 10 permit 10.100.1.0 0.0.0.255 + +access-list 30 remark NTP Query +access-list 30 permit 10.100.0.0 0.0.255.255 + +! Source and timezone +ntp source GigabitEthernet1/1 +clock timezone CST -6 0 +clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 + +ntp update-calendar + +service timestamps log datetime msec localtime show-timezone + +end +write memory +``` + +### Example 3: Redundant Time Source with Fallback + +```cisco +configure terminal + +! Primary NTP servers +ntp server 10.100.1.10 prefer +ntp server 10.100.1.11 + +! Fallback to public NTP if internal servers fail +ntp server 129.6.15.28 +ntp server 132.163.96.1 + +! Use as master only if all external sources fail +ntp master 10 + +ntp source GigabitEthernet1/1 +clock timezone EST -5 0 +clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 + +ntp update-calendar + +end +write memory +``` + +--- + +## Troubleshooting Guide + +### Issue: NTP Not Synchronizing + +**Symptoms:** +- `show ntp status` shows "Clock is unsynchronized" +- No asterisk (*) appears in `show ntp associations` +- "unsynchronized" appears in status output + +**Troubleshooting Steps:** + +1. **Verify NTP servers are configured:** + ```cisco + show running-config | include ntp server + ``` + +2. **Check network connectivity to NTP servers:** + ```cisco + ping 10.1.1.10 + ping 10.1.1.10 source GigabitEthernet1/1 + traceroute 10.1.1.10 + ``` + +3. **Verify NTP packets are being exchanged:** + ```cisco + show ntp associations detail + ! Check 'reach' value - should be 377 (octal) = all attempts successful + ! Check 'when' value - should be recent (< poll interval) + ``` + +4. **Check for authentication mismatches:** + ```cisco + show ntp status + ! Look for authentication errors + debug ntp all + ! Watch for authentication failures + undebug all + ``` + +5. **Verify access lists aren't blocking NTP:** + ```cisco + show access-lists + ! NTP uses UDP port 123 + ! Verify ACLs allow UDP 123 traffic + ``` + +6. **Check for large time offset:** + ```cisco + show ntp associations detail + ! If offset > 1000 seconds, manually set clock first + clock set 14:30:00 15 January 2024 + ``` + +7. **Verify source interface is up:** + ```cisco + show ip interface brief | include GigabitEthernet1/1 + ! Source interface must be up/up + ``` + +### Issue: High Offset or Jitter + +**Symptoms:** +- Time drifts significantly +- High offset values in `show ntp associations` +- Inconsistent time across devices + +**Troubleshooting Steps:** + +1. **Check network latency and stability:** + ```cisco + ping 10.1.1.10 repeat 100 + ! Look for: + ! - Packet loss (should be 0%) + ! - High round-trip time (> 100ms problematic) + ! - Variable latency (jitter) + ``` + +2. **Verify stratum levels:** + ```cisco + show ntp associations + ! Stratum (st) should be: + ! - < 10 for reliable servers + ! - Lower is better (1 = atomic clock, 2 = GPS) + ! - Your switch should be stratum +1 from source + ``` + +3. **Increase number of NTP servers:** + ```cisco + ! Use at least 3 servers for best accuracy + ! NTP uses voting algorithm to select best time source + configure terminal + ntp server 10.1.1.12 + ntp server 10.1.1.13 + ``` + +4. **Check upstream NTP server health:** + ```cisco + show ntp associations detail + ! Verify servers show: + ! - condition = 'sys.peer' or 'candidate' + ! - reach = 377 + ! - Low dispersion (disp) + ``` + +5. **Monitor polling interval:** + ```cisco + show ntp associations + ! Poll interval should stabilize at 64-1024 seconds + ! Frequent changes indicate instability + ``` + +### Issue: Authentication Failures + +**Symptoms:** +- Peers show as unreachable despite network connectivity +- NTP status shows authentication errors +- Reach value remains 0 + +**Troubleshooting Steps:** + +1. **Verify authentication is enabled:** + ```cisco + show ntp status | include authentication + ! Should show: "authentication enabled" + ``` + +2. **Check authentication keys are configured:** + ```cisco + show ntp authentication-keys + ! Verify key IDs exist + ``` + +3. **Verify trusted keys:** + ```cisco + show running-config | include ntp trusted-key + ! Keys must be marked as trusted + ``` + +4. **Confirm server configuration uses correct key:** + ```cisco + show running-config | include ntp server + ! Verify key ID matches trusted key + ``` + +5. **Debug authentication:** + ```cisco + debug ntp authentication + debug ntp validity + ! Watch for authentication failures + ! Look for key mismatches + undebug all + ``` + +6. **Temporarily disable authentication to test:** + ```cisco + configure terminal + no ntp authenticate + ! Test if synchronization works without auth + ! Then re-enable: + ntp authenticate + ``` + +### Issue: Time Correct but Timezone Wrong + +**Symptoms:** +- NTP shows synchronized +- Time is off by exact number of hours +- Logs show incorrect time + +**Troubleshooting Steps:** + +1. **Verify timezone configuration:** + ```cisco + show running-config | include clock timezone + ! Ensure timezone offset is correct for your location + ``` + +2. **Check daylight saving time:** + ```cisco + show clock detail + ! Verify DST rules are correct + ! Look for summer-time configuration + ``` + +3. **Reconfigure timezone if needed:** + ```cisco + configure terminal + clock timezone EST -5 0 + clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 + ``` + +4. **Verify timestamps in logs:** + ```cisco + show running-config | include service timestamps + ! Should include 'localtime' and 'show-timezone' + ``` + +### Issue: Hardware Clock Not Updating + +**Symptoms:** +- `show clock` shows correct time +- `show calendar` shows old time +- Time resets after reload + +**Troubleshooting Steps:** + +1. **Verify update-calendar is configured:** + ```cisco + show running-config | include ntp update-calendar + ``` + +2. **Manually update calendar:** + ```cisco + ntp update-calendar + ! Or manually: + clock update-calendar + ``` + +3. **Check calendar after sync:** + ```cisco + show calendar + show clock + ! Should match within a few seconds + ``` + +4. **Configure automatic update:** + ```cisco + configure terminal + ntp update-calendar + end + write memory + ``` + +### Issue: NTP Works but Stops After Time + +**Symptoms:** +- NTP synchronizes initially +- Loses sync after hours/days +- Reach value degrades over time + +**Troubleshooting Steps:** + +1. **Check for network instability:** + ```cisco + show ntp associations detail + ! Monitor 'reach' value over time + ! Should remain at 377 + ``` + +2. **Verify interface stability:** + ```cisco + show interface GigabitEthernet1/1 + ! Check for errors, resets, or flapping + ``` + +3. **Check for routing changes:** + ```cisco + show ip route 10.1.1.10 + ! Verify consistent route to NTP server + ``` + +4. **Monitor NTP server health:** + ```cisco + ! Check if NTP server itself is stable + show ntp associations detail + ! Look for increasing dispersion + ``` + +5. **Check for memory or CPU issues:** + ```cisco + show processes cpu sorted + show processes memory sorted + ! High CPU or memory can affect NTP + ``` + +--- + +## Best Practices + +### Redundancy +- Configure at least **3 NTP servers** for optimal accuracy and fault tolerance +- Use diverse network paths to NTP servers when possible +- Consider geographic diversity for enterprise deployments +- Use both on-site and off-site NTP sources + +### Security +- **Always use NTP authentication** in production industrial environments +- Implement access control lists to restrict NTP access +- Use MD5 authentication keys with strong passwords +- Regularly rotate authentication keys (annually recommended) +- Monitor for NTP-based attacks (amplification, spoofing) + +### Performance +- Use `prefer` keyword on the most reliable/accurate server +- Choose NTP servers with low stratum (2-4 is ideal for enterprise) +- Select geographically close servers to minimize latency +- Avoid using stratum 1 servers directly (use stratum 2 instead) +- Ensure stable network path to NTP servers + +### Industrial Environment Considerations +- Account for temperature variations in industrial settings +- Use ruggedized NTP appliances in harsh environments +- Consider GPS-based NTP servers for isolated sites +- Implement redundant time sources for critical applications +- Test NTP resilience during network outages + +### Maintenance +- Regularly verify NTP synchronization status (daily) +- Monitor offset and jitter values (weekly) +- Review NTP logs for anomalies +- Update authentication keys periodically +- Document your NTP server hierarchy +- Test failover scenarios + +### Time Initialization +- When first configuring, manually set clock to within 1000 seconds +- NTP will refuse to sync if initial offset is too large +- Use `clock set` command before enabling NTP on new switches +- Allow 10-15 minutes for initial synchronization +- Monitor stabilization with `show ntp associations` + +--- + +## Monitoring and Logging + +### Regular Health Checks + +```cisco +! Daily verification +show ntp status | include Clock +show ntp associations | include "\*" + +! Weekly detailed check +show ntp associations detail +show clock detail + +! Check for errors +show logging | include NTP +``` + +### Enable SNMP Monitoring + +```cisco +configure terminal + +! Enable SNMP for NTP monitoring +snmp-server enable traps ntp + +! Configure SNMP trap receiver +snmp-server host 10.1.1.100 version 2c YourCommunity + +end +write memory +``` + +### Syslog Monitoring + +```cisco +configure terminal + +! Configure syslog server +logging host 10.1.1.50 + +! Set logging level +logging trap informational + +! Enable timestamps +service timestamps log datetime msec localtime show-timezone + +end +write memory +``` + +### EEM Script for NTP Monitoring + +```cisco +configure terminal + +! Create EEM applet to monitor NTP +event manager applet NTP-Monitor + event timer watchdog time 300 + action 1.0 cli command "enable" + action 2.0 cli command "show ntp status | include Clock" + action 3.0 regexp "unsynchronized" "$_cli_result" + action 4.0 if $_regexp_result eq 1 + action 4.1 syslog msg "NTP ALERT: Clock is unsynchronized" + action 4.2 cli command "show ntp associations" + action 5.0 end + +end +write memory +``` + +--- + +## Debug Commands + +### NTP Debugging + +```cisco +! Enable NTP debugging (use with caution in production) +debug ntp all +debug ntp authentication +debug ntp events +debug ntp packets +debug ntp validity + +! Disable debugging +undebug all +! Or +no debug all +``` + +### Conditional Debugging + +```cisco +! Debug specific NTP server +debug ntp packets 10.1.1.10 + +! View debug output +terminal monitor +! Then enable debugging +``` + +**Warning:** Debugging can generate significant CPU load. Use sparingly in production and disable when troubleshooting is complete. + +--- + +## Quick Reference Commands + +| Command | Purpose | +|---------|---------| +| `show ntp status` | Display synchronization status | +| `show ntp associations` | List all NTP peers and sync status | +| `show ntp associations detail` | Detailed peer statistics | +| `show clock` | Current system time | +| `show clock detail` | Time with timezone and DST info | +| `show calendar` | Hardware clock time | +| `show running-config \| include ntp` | Display NTP configuration | +| `show running-config \| include clock` | Display time configuration | +| `show ntp authentication-keys` | List configured auth keys | +| `ntp update-calendar` | Sync hardware clock from system | +| `clock update-calendar` | Alternative calendar sync | +| `clock set HH:MM:SS DD Month YYYY` | Manually set system time | + +--- + +## IOS-XE Specific Features + +### NTP Broadcast + +The ESS 9300 running IOS-XE supports NTP broadcast mode: + +```cisco +! Server sends periodic broadcasts +interface GigabitEthernet1/1 + ntp broadcast + exit + +! Client receives broadcasts +interface GigabitEthernet1/2 + ntp broadcast client + exit +``` + +### NTP Multicast + +```cisco +! Server sends to multicast group +interface GigabitEthernet1/1 + ntp multicast 224.0.1.1 + exit + +! Client receives multicast +interface GigabitEthernet1/2 + ntp multicast client 224.0.1.1 + exit +``` + +### IPv6 NTP Support + +```cisco +configure terminal + +! IPv6 NTP server +ntp server 2001:db8::10 prefer + +! IPv6 source interface +ntp source Vlan100 + +end +write memory +``` + +--- + +## Appendix: Public NTP Servers + +### NIST (US Government) +- `129.6.15.28` - NIST, Gaithersburg, Maryland +- `129.6.15.29` - NIST, Gaithersburg, Maryland +- `132.163.96.1` - NIST, Boulder, Colorado +- `132.163.96.2` - NIST, Boulder, Colorado + +### US Naval Observatory +- `192.5.41.40` - tick.usno.navy.mil +- `192.5.41.41` - tock.usno.navy.mil + +### NTP Pool Project +- `0.pool.ntp.org` +- `1.pool.ntp.org` +- `2.pool.ntp.org` +- `3.pool.ntp.org` + +### Regional Pools +- `0.north-america.pool.ntp.org` +- `0.us.pool.ntp.org` + +**Note:** For production industrial use, deploy internal GPS-synchronized NTP servers rather than having all devices query public servers directly. This improves reliability, reduces external dependencies, and provides better time accuracy. + +--- + +## Integration with Industrial Protocols + +### PTP (Precision Time Protocol) Coexistence + +The ESS 9300 supports both NTP and PTP (IEEE 1588). Best practices: + +- Use **PTP for sub-microsecond precision** (automation, motion control) +- Use **NTP for general timekeeping** (logging, AAA, management) +- Keep NTP and PTP on separate VLANs if possible +- Use NTP for non-critical devices +- Reserve PTP for time-critical industrial applications + +### Synchronization with PLCs and SCADA + +```cisco +! Configure NTP to serve time to industrial devices +configure terminal + +ntp master 3 +ntp source GigabitEthernet1/1 + +! Allow SCADA network to query time +ntp access-group serve 20 +access-list 20 permit 10.50.0.0 0.0.255.255 + +end +write memory +``` + +--- + +## Differences from Nexus NX-OS + +Key differences when coming from Nexus switches: + +| Feature | Nexus (NX-OS) | ESS 9300 (IOS-XE) | +|---------|---------------|-------------------| +| VRF syntax | `use-vrf management` | Not required (use `source` instead) | +| Feature enable | `feature ntp` | Not required (built-in) | +| Calendar sync | N/A | `ntp update-calendar` | +| Save config | `copy run start` | `write memory` or `copy run start` | +| Auth key type | MD5 with type 7 | MD5 (auto-encrypted) | +| Interface naming | `mgmt0` | `GigabitEthernet0/0` | + +--- + +## Document Information + +**Target Platform:** Cisco Catalyst ESS 9300 (IE-9300) +**Operating System:** IOS-XE +**IOS-XE Versions:** 17.x +**Last Updated:** March 2026 +**Document Purpose:** Configuration reference and troubleshooting guide for industrial Ethernet environments + +For Cisco IOS-XE command reference, consult the official Cisco documentation for your specific software version. \ No newline at end of file