traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: create Work/Cisco/NTP_ESS9300

Browse source
This commit is contained in:
Administrator 2026-03-31 21:25:18 +00:00 committed by John Smith
parent 502b8a88a1
commit ca5e34d790
1 changed files with 899 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

899
Work/Cisco/NTP_ESS9300.md Normal file
View file

@ -0,0 +1,899 @@
---
title: ESS9300 NTP
description:
published: true
date: 2026-03-31T21:25:08.700Z
tags:
editor: markdown
dateCreated: 2026-03-31T21:25:08.700Z
---
# Cisco ESS 9300 (IE-9300) NTP Configuration and Troubleshooting Guide
## Overview
This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Catalyst ESS 9300 (IE-9300) industrial Ethernet switch running IOS-XE. Accurate time synchronization is critical for logging, AAA, certificates, syslog correlation, and distributed system troubleshooting.
---
## NTP Configuration
### Basic NTP Server Configuration
```cisco
configure terminal
! Configure NTP servers (use multiple servers for redundancy)
ntp server 10.1.1.10 prefer
ntp server 10.1.1.11
ntp server 192.0.2.1
! Configure NTP source interface (optional but recommended)
ntp source GigabitEthernet1/1
! Alternatively, use management interface if configured
! ntp source GigabitEthernet0/0
! Set timezone (adjust to your location)
clock timezone EST -5 0
! Configure daylight saving time (if applicable)
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
! Save configuration
end
write memory
```
### NTP Authentication (Recommended for Production)
```cisco
configure terminal
! Enable NTP authentication
ntp authenticate
! Create authentication keys (key ID 1-65535)
ntp authentication-key 1 md5 YourSecureKey123
ntp authentication-key 2 md5 AnotherSecureKey456
! Specify trusted keys
ntp trusted-key 1
ntp trusted-key 2
! Apply authentication to NTP servers
ntp server 10.1.1.10 prefer key 1
ntp server 10.1.1.11 key 2
end
write memory
```
### NTP Access Control (Security Best Practice)
```cisco
configure terminal
! Define access control for NTP
! peer: Allow time sync from these sources
! serve: Respond to time requests from these sources
! serve-only: Respond to requests but don't sync from them
! query-only: Allow status queries only
ntp access-group peer 10
ntp access-group serve 20
ntp access-group query-only 30
! Create access lists
access-list 10 remark NTP Peers - Allow sync
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 20 remark NTP Serve - Respond to requests
access-list 20 permit 10.0.0.0 0.255.255.255
access-list 30 remark NTP Query - Status queries only
access-list 30 permit 192.168.0.0 0.0.255.255
end
write memory
```
### NTP Master Configuration (Switch as Time Source)
```cisco
configure terminal
! Configure switch as NTP master (stratum level)
! Only use if external NTP servers are unavailable
ntp master 8
! This makes the switch authoritative at stratum 8
! Lower stratum = higher priority (1 is highest, typically atomic clocks)
! Use stratum 8-15 for internal masters
end
write memory
```
### Advanced NTP Configuration
```cisco
configure terminal
! Update calendar from NTP (hardware clock sync)
ntp update-calendar
! Disable NTP on specific interfaces (if needed)
interface GigabitEthernet1/10
ntp disable
exit
! Configure NTP broadcast (server mode)
interface GigabitEthernet1/1
ntp broadcast
exit
! Configure NTP broadcast client (client mode)
interface GigabitEthernet1/2
ntp broadcast client
exit
! Configure NTP logging
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
end
write memory
```
---
## Verification Commands
### Check NTP Status
```cisco
! Show NTP status summary
show ntp status
! Expected output when synchronized:
! Clock is synchronized, stratum 3, reference is 10.1.1.10
! nominal freq is 250.0000 Hz, actual freq is 250.0008 Hz, precision is 2**10
! ntp uptime is 86400 (1/100 of seconds), resolution is 4016
! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024)
! clock offset is -0.5234 msec, root delay is 12.34 msec
! root dispersion is 45.67 msec, peer dispersion is 1.23 msec
! loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000008234 s/s
! system poll interval is 64, last update was 25 sec ago
```
### Check NTP Associations
```cisco
! Show all NTP associations (peers)
show ntp associations
! Detailed view
show ntp associations detail
! Column descriptions:
! * = synchronized, + = candidate, # = selected, - = outlier
! address: NTP server address
! ref clock: reference source of the server
! st: stratum level
! when: last packet received (seconds)
! poll: polling interval (seconds)
! reach: reachability (377 octal = all 8 attempts successful)
! delay: round-trip delay (ms)
! offset: time difference (ms)
! disp: dispersion/jitter (ms)
```
### Check Clock and Time
```cisco
! Display current time
show clock
! Display detailed clock information
show clock detail
! Show calendar (hardware clock)
show calendar
```
### Check NTP Configuration
```cisco
! Show all NTP configuration
show ntp config
! Show running NTP configuration
show running-config | include ntp
show running-config | include clock
```
### Check NTP Authentication
```cisco
! Show authentication keys (hashed)
show ntp authentication-keys
! Show authentication status
show ntp status | include authentication
```
---
## Common Configuration Examples
### Example 1: Industrial Network Configuration
```cisco
configure terminal
! Use site NTP servers
ntp server 10.100.1.10 prefer
ntp server 10.100.1.11
ntp server 10.100.1.12
! Use primary uplink as source
ntp source GigabitEthernet1/1
! Central Standard Time
clock timezone CST -6 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
! Sync hardware clock
ntp update-calendar
! Enable timestamps
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
end
write memory
```
### Example 2: Secure Configuration with Authentication
```cisco
configure terminal
! Enable NTP authentication
ntp authenticate
ntp authentication-key 10 md5 Ind_NTP_K3y_2024
ntp trusted-key 10
! Configure authenticated servers
ntp server 10.100.1.10 prefer key 10
ntp server 10.100.1.11 key 10
! Access control
ntp access-group peer 10
ntp access-group query-only 30
access-list 10 remark NTP Peers
access-list 10 permit 10.100.1.0 0.0.0.255
access-list 30 remark NTP Query
access-list 30 permit 10.100.0.0 0.0.255.255
! Source and timezone
ntp source GigabitEthernet1/1
clock timezone CST -6 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ntp update-calendar
service timestamps log datetime msec localtime show-timezone
end
write memory
```
### Example 3: Redundant Time Source with Fallback
```cisco
configure terminal
! Primary NTP servers
ntp server 10.100.1.10 prefer
ntp server 10.100.1.11
! Fallback to public NTP if internal servers fail
ntp server 129.6.15.28
ntp server 132.163.96.1
! Use as master only if all external sources fail
ntp master 10
ntp source GigabitEthernet1/1
clock timezone EST -5 0
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ntp update-calendar
end
write memory
```
---
## Troubleshooting Guide
### Issue: NTP Not Synchronizing
**Symptoms:**
- `show ntp status` shows "Clock is unsynchronized"
- No asterisk (*) appears in `show ntp associations`
- "unsynchronized" appears in status output
**Troubleshooting Steps:**
1. **Verify NTP servers are configured:**
```cisco
show running-config | include ntp server
```
2. **Check network connectivity to NTP servers:**
```cisco
ping 10.1.1.10
ping 10.1.1.10 source GigabitEthernet1/1
traceroute 10.1.1.10
```
3. **Verify NTP packets are being exchanged:**
```cisco
show ntp associations detail
! Check 'reach' value - should be 377 (octal) = all attempts successful
! Check 'when' value - should be recent (< poll interval)
```
4. **Check for authentication mismatches:**
```cisco
show ntp status
! Look for authentication errors
debug ntp all
! Watch for authentication failures
undebug all
```
5. **Verify access lists aren't blocking NTP:**
```cisco
show access-lists
! NTP uses UDP port 123
! Verify ACLs allow UDP 123 traffic
```
6. **Check for large time offset:**
```cisco
show ntp associations detail
! If offset > 1000 seconds, manually set clock first
clock set 14:30:00 15 January 2024
```
7. **Verify source interface is up:**
```cisco
show ip interface brief | include GigabitEthernet1/1
! Source interface must be up/up
```
### Issue: High Offset or Jitter
**Symptoms:**
- Time drifts significantly
- High offset values in `show ntp associations`
- Inconsistent time across devices
**Troubleshooting Steps:**
1. **Check network latency and stability:**
```cisco
ping 10.1.1.10 repeat 100
! Look for:
! - Packet loss (should be 0%)
! - High round-trip time (> 100ms problematic)
! - Variable latency (jitter)
```
2. **Verify stratum levels:**
```cisco
show ntp associations
! Stratum (st) should be:
! - < 10 for reliable servers
! - Lower is better (1 = atomic clock, 2 = GPS)
! - Your switch should be stratum +1 from source
```
3. **Increase number of NTP servers:**
```cisco
! Use at least 3 servers for best accuracy
! NTP uses voting algorithm to select best time source
configure terminal
ntp server 10.1.1.12
ntp server 10.1.1.13
```
4. **Check upstream NTP server health:**
```cisco
show ntp associations detail
! Verify servers show:
! - condition = 'sys.peer' or 'candidate'
! - reach = 377
! - Low dispersion (disp)
```
5. **Monitor polling interval:**
```cisco
show ntp associations
! Poll interval should stabilize at 64-1024 seconds
! Frequent changes indicate instability
```
### Issue: Authentication Failures
**Symptoms:**
- Peers show as unreachable despite network connectivity
- NTP status shows authentication errors
- Reach value remains 0
**Troubleshooting Steps:**
1. **Verify authentication is enabled:**
```cisco
show ntp status | include authentication
! Should show: "authentication enabled"
```
2. **Check authentication keys are configured:**
```cisco
show ntp authentication-keys
! Verify key IDs exist
```
3. **Verify trusted keys:**
```cisco
show running-config | include ntp trusted-key
! Keys must be marked as trusted
```
4. **Confirm server configuration uses correct key:**
```cisco
show running-config | include ntp server
! Verify key ID matches trusted key
```
5. **Debug authentication:**
```cisco
debug ntp authentication
debug ntp validity
! Watch for authentication failures
! Look for key mismatches
undebug all
```
6. **Temporarily disable authentication to test:**
```cisco
configure terminal
no ntp authenticate
! Test if synchronization works without auth
! Then re-enable:
ntp authenticate
```
### Issue: Time Correct but Timezone Wrong
**Symptoms:**
- NTP shows synchronized
- Time is off by exact number of hours
- Logs show incorrect time
**Troubleshooting Steps:**
1. **Verify timezone configuration:**
```cisco
show running-config | include clock timezone
! Ensure timezone offset is correct for your location
```
2. **Check daylight saving time:**
```cisco
show clock detail
! Verify DST rules are correct
! Look for summer-time configuration
```
3. **Reconfigure timezone if needed:**
```cisco
configure terminal
clock timezone EST -5 0
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
```
4. **Verify timestamps in logs:**
```cisco
show running-config | include service timestamps
! Should include 'localtime' and 'show-timezone'
```
### Issue: Hardware Clock Not Updating
**Symptoms:**
- `show clock` shows correct time
- `show calendar` shows old time
- Time resets after reload
**Troubleshooting Steps:**
1. **Verify update-calendar is configured:**
```cisco
show running-config | include ntp update-calendar
```
2. **Manually update calendar:**
```cisco
ntp update-calendar
! Or manually:
clock update-calendar
```
3. **Check calendar after sync:**
```cisco
show calendar
show clock
! Should match within a few seconds
```
4. **Configure automatic update:**
```cisco
configure terminal
ntp update-calendar
end
write memory
```
### Issue: NTP Works but Stops After Time
**Symptoms:**
- NTP synchronizes initially
- Loses sync after hours/days
- Reach value degrades over time
**Troubleshooting Steps:**
1. **Check for network instability:**
```cisco
show ntp associations detail
! Monitor 'reach' value over time
! Should remain at 377
```
2. **Verify interface stability:**
```cisco
show interface GigabitEthernet1/1
! Check for errors, resets, or flapping
```
3. **Check for routing changes:**
```cisco
show ip route 10.1.1.10
! Verify consistent route to NTP server
```
4. **Monitor NTP server health:**
```cisco
! Check if NTP server itself is stable
show ntp associations detail
! Look for increasing dispersion
```
5. **Check for memory or CPU issues:**
```cisco
show processes cpu sorted
show processes memory sorted
! High CPU or memory can affect NTP
```
---
## Best Practices
### Redundancy
- Configure at least **3 NTP servers** for optimal accuracy and fault tolerance
- Use diverse network paths to NTP servers when possible
- Consider geographic diversity for enterprise deployments
- Use both on-site and off-site NTP sources
### Security
- **Always use NTP authentication** in production industrial environments
- Implement access control lists to restrict NTP access
- Use MD5 authentication keys with strong passwords
- Regularly rotate authentication keys (annually recommended)
- Monitor for NTP-based attacks (amplification, spoofing)
### Performance
- Use `prefer` keyword on the most reliable/accurate server
- Choose NTP servers with low stratum (2-4 is ideal for enterprise)
- Select geographically close servers to minimize latency
- Avoid using stratum 1 servers directly (use stratum 2 instead)
- Ensure stable network path to NTP servers
### Industrial Environment Considerations
- Account for temperature variations in industrial settings
- Use ruggedized NTP appliances in harsh environments
- Consider GPS-based NTP servers for isolated sites
- Implement redundant time sources for critical applications
- Test NTP resilience during network outages
### Maintenance
- Regularly verify NTP synchronization status (daily)
- Monitor offset and jitter values (weekly)
- Review NTP logs for anomalies
- Update authentication keys periodically
- Document your NTP server hierarchy
- Test failover scenarios
### Time Initialization
- When first configuring, manually set clock to within 1000 seconds
- NTP will refuse to sync if initial offset is too large
- Use `clock set` command before enabling NTP on new switches
- Allow 10-15 minutes for initial synchronization
- Monitor stabilization with `show ntp associations`
---
## Monitoring and Logging
### Regular Health Checks
```cisco
! Daily verification
show ntp status | include Clock
show ntp associations | include "\*"
! Weekly detailed check
show ntp associations detail
show clock detail
! Check for errors
show logging | include NTP
```
### Enable SNMP Monitoring
```cisco
configure terminal
! Enable SNMP for NTP monitoring
snmp-server enable traps ntp
! Configure SNMP trap receiver
snmp-server host 10.1.1.100 version 2c YourCommunity
end
write memory
```
### Syslog Monitoring
```cisco
configure terminal
! Configure syslog server
logging host 10.1.1.50
! Set logging level
logging trap informational
! Enable timestamps
service timestamps log datetime msec localtime show-timezone
end
write memory
```
### EEM Script for NTP Monitoring
```cisco
configure terminal
! Create EEM applet to monitor NTP
event manager applet NTP-Monitor
event timer watchdog time 300
action 1.0 cli command "enable"
action 2.0 cli command "show ntp status | include Clock"
action 3.0 regexp "unsynchronized" "$_cli_result"
action 4.0 if $_regexp_result eq 1
action 4.1 syslog msg "NTP ALERT: Clock is unsynchronized"
action 4.2 cli command "show ntp associations"
action 5.0 end
end
write memory
```
---
## Debug Commands
### NTP Debugging
```cisco
! Enable NTP debugging (use with caution in production)
debug ntp all
debug ntp authentication
debug ntp events
debug ntp packets
debug ntp validity
! Disable debugging
undebug all
! Or
no debug all
```
### Conditional Debugging
```cisco
! Debug specific NTP server
debug ntp packets 10.1.1.10
! View debug output
terminal monitor
! Then enable debugging
```
**Warning:** Debugging can generate significant CPU load. Use sparingly in production and disable when troubleshooting is complete.
---
## Quick Reference Commands
| Command | Purpose |
|---------|---------|
| `show ntp status` | Display synchronization status |
| `show ntp associations` | List all NTP peers and sync status |
| `show ntp associations detail` | Detailed peer statistics |
| `show clock` | Current system time |
| `show clock detail` | Time with timezone and DST info |
| `show calendar` | Hardware clock time |
| `show running-config \| include ntp` | Display NTP configuration |
| `show running-config \| include clock` | Display time configuration |
| `show ntp authentication-keys` | List configured auth keys |
| `ntp update-calendar` | Sync hardware clock from system |
| `clock update-calendar` | Alternative calendar sync |
| `clock set HH:MM:SS DD Month YYYY` | Manually set system time |
---
## IOS-XE Specific Features
### NTP Broadcast
The ESS 9300 running IOS-XE supports NTP broadcast mode:
```cisco
! Server sends periodic broadcasts
interface GigabitEthernet1/1
ntp broadcast
exit
! Client receives broadcasts
interface GigabitEthernet1/2
ntp broadcast client
exit
```
### NTP Multicast
```cisco
! Server sends to multicast group
interface GigabitEthernet1/1
ntp multicast 224.0.1.1
exit
! Client receives multicast
interface GigabitEthernet1/2
ntp multicast client 224.0.1.1
exit
```
### IPv6 NTP Support
```cisco
configure terminal
! IPv6 NTP server
ntp server 2001:db8::10 prefer
! IPv6 source interface
ntp source Vlan100
end
write memory
```
---
## Appendix: Public NTP Servers
### NIST (US Government)
- `129.6.15.28` - NIST, Gaithersburg, Maryland
- `129.6.15.29` - NIST, Gaithersburg, Maryland
- `132.163.96.1` - NIST, Boulder, Colorado
- `132.163.96.2` - NIST, Boulder, Colorado
### US Naval Observatory
- `192.5.41.40` - tick.usno.navy.mil
- `192.5.41.41` - tock.usno.navy.mil
### NTP Pool Project
- `0.pool.ntp.org`
- `1.pool.ntp.org`
- `2.pool.ntp.org`
- `3.pool.ntp.org`
### Regional Pools
- `0.north-america.pool.ntp.org`
- `0.us.pool.ntp.org`
**Note:** For production industrial use, deploy internal GPS-synchronized NTP servers rather than having all devices query public servers directly. This improves reliability, reduces external dependencies, and provides better time accuracy.
---
## Integration with Industrial Protocols
### PTP (Precision Time Protocol) Coexistence
The ESS 9300 supports both NTP and PTP (IEEE 1588). Best practices:
- Use **PTP for sub-microsecond precision** (automation, motion control)
- Use **NTP for general timekeeping** (logging, AAA, management)
- Keep NTP and PTP on separate VLANs if possible
- Use NTP for non-critical devices
- Reserve PTP for time-critical industrial applications
### Synchronization with PLCs and SCADA
```cisco
! Configure NTP to serve time to industrial devices
configure terminal
ntp master 3
ntp source GigabitEthernet1/1
! Allow SCADA network to query time
ntp access-group serve 20
access-list 20 permit 10.50.0.0 0.0.255.255
end
write memory
```
---
## Differences from Nexus NX-OS
Key differences when coming from Nexus switches:
| Feature | Nexus (NX-OS) | ESS 9300 (IOS-XE) |
|---------|---------------|-------------------|
| VRF syntax | `use-vrf management` | Not required (use `source` instead) |
| Feature enable | `feature ntp` | Not required (built-in) |
| Calendar sync | N/A | `ntp update-calendar` |
| Save config | `copy run start` | `write memory` or `copy run start` |
| Auth key type | MD5 with type 7 | MD5 (auto-encrypted) |
| Interface naming | `mgmt0` | `GigabitEthernet0/0` |
---
## Document Information
**Target Platform:** Cisco Catalyst ESS 9300 (IE-9300)
**Operating System:** IOS-XE
**IOS-XE Versions:** 17.x
**Last Updated:** March 2026
**Document Purpose:** Configuration reference and troubleshooting guide for industrial Ethernet environments
For Cisco IOS-XE command reference, consult the official Cisco documentation for your specific software version.