traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: traveler:1a98eb640210f2a39c91b64806635489751d98c2
Branches Tags
traveler:main
..
compare: traveler:46b6cf30956ed7e034a18fd3b4ea889518d2c2ff
Branches Tags
traveler:main

No commits in common. "1a98eb640210f2a39c91b64806635489751d98c2" and "46b6cf30956ed7e034a18fd3b4ea889518d2c2ff" have entirely different histories.
1a98eb6402 ... 46b6cf3095

49 changed files with 44 additions and 1938 deletions
Download patch file Download diff file Expand all files Collapse all files

25
Netgrimoire/Audits/first.md
View file

@ -1,25 +0,0 @@
---
title: Untitled Page
description:
published: true
date: 2026-04-01T01:56:08.260Z
tags:
editor: markdown
dateCreated: 2026-04-01T01:50:18.740Z
---
# Header
dffasdf
asdf
asd
asdf
asdf
asdf
asdf
asdf
asdf
asdf
asdf
asdf
asdf
asdf

2
Netgrimoire/Authentication/ldap-client-setup.md
View file

@ -2,7 +2,7 @@
title: LDAP Client Setup
description:
published: true
date: 2026-02-20T04:33:31.862Z
date: 2026-01-22T03:36:37.380Z
tags:
editor: markdown
dateCreated: 2026-01-21T13:21:40.588Z

2
Netgrimoire/Backup/Immich_Backup.md
View file

@ -2,7 +2,7 @@
title: Immich Backup and Restore
description: Immich backup with Kopia
published: true
date: 2026-02-20T04:11:52.181Z
date: 2026-02-14T23:34:02.017Z
tags:
editor: markdown
dateCreated: 2026-02-14T03:14:32.594Z

2
Netgrimoire/Backup/MailCow_Backup.md
View file

@ -2,7 +2,7 @@
title: Mailcow Backup and Restore Strategy
description: Mailcow backup
published: true
date: 2026-02-20T04:15:25.924Z
date: 2026-02-13T22:23:40.797Z
tags:
editor: markdown
dateCreated: 2026-02-11T01:20:59.127Z

2
Netgrimoire/Backup/Nextcloud_Backup.md
View file

@ -2,7 +2,7 @@
title: Nextcloud Backup
description: Native + Kopia
published: true
date: 2026-02-20T04:19:28.405Z
date: 2026-02-18T04:40:14.455Z
tags:
editor: markdown
dateCreated: 2026-02-14T23:52:25.405Z

2
Netgrimoire/Backup/Services_Backup.md
View file

@ -2,7 +2,7 @@
title: Services Backup
description:
published: true
date: 2026-02-20T04:08:15.923Z
date: 2026-02-14T23:51:09.146Z
tags:
editor: markdown
dateCreated: 2026-02-05T21:28:23.152Z

2
Netgrimoire/Backup/Wiki_Backup.md
View file

@ -2,7 +2,7 @@
title: Wikijs Backup
description: Backup Wikijs
published: true
date: 2026-02-23T04:35:32.870Z
date: 2026-02-23T04:35:24.121Z
tags:
editor: markdown
dateCreated: 2026-02-23T04:35:24.121Z

2
Netgrimoire/Documentation_Standards.md
View file

@ -2,7 +2,7 @@
title: Netgrimoire Documentation
description: How to create and use Netgrimoire Docs
published: true
date: 2026-02-20T04:16:19.329Z
date: 2026-02-03T02:54:56.444Z
tags:
editor: markdown
dateCreated: 2026-02-03T02:54:56.444Z

2
Netgrimoire/Netgrimoire_Theme.md
View file

@ -2,7 +2,7 @@
title: Documentation Style Guide
description: Applying a theme
published: true
date: 2026-02-25T21:32:16.786Z
date: 2026-02-25T21:32:08.276Z
tags:
editor: markdown
dateCreated: 2026-02-24T14:03:00.791Z

2
Netgrimoire/Network/Port_Assignments.md
View file

@ -2,7 +2,7 @@
title: Port Assignments
description:
published: true
date: 2026-02-20T04:21:52.996Z
date: 2026-01-27T13:15:17.556Z
tags:
editor: markdown
dateCreated: 2026-01-27T03:42:58.945Z

2
Netgrimoire/Network/Security/Caddy.md
View file

@ -2,7 +2,7 @@
title: Caddy Reverse Proxy
description: Curreent and future config
published: true
date: 2026-02-25T01:50:20.558Z
date: 2026-02-25T01:50:11.740Z
tags:
editor: markdown
dateCreated: 2026-02-23T22:09:16.106Z

2
Netgrimoire/Network/Security/OPnSense_IDS.md
View file

@ -2,7 +2,7 @@
title: OpnSense-IDS/IPS
description: IDS
published: true
date: 2026-02-23T21:51:49.920Z
date: 2026-02-23T21:51:41.041Z
tags:
editor: markdown
dateCreated: 2026-02-23T21:49:16.861Z

2
Netgrimoire/Network/Security/OpnSense_AppInspection.md
View file

@ -2,7 +2,7 @@
title: OpnSense - App Protection
description: App Inspection
published: true
date: 2026-02-23T21:52:43.630Z
date: 2026-02-23T21:52:34.981Z
tags:
editor: markdown
dateCreated: 2026-02-23T21:50:37.324Z

2
Netgrimoire/Network/Security/OpnSense_Firewall.md
View file

@ -2,7 +2,7 @@
title: OpnSense
description: Grimoire Firewall Configuration
published: true
date: 2026-02-23T21:31:26.008Z
date: 2026-02-23T21:31:15.244Z
tags:
editor: markdown
dateCreated: 2026-02-23T21:31:15.244Z

2
Netgrimoire/Network/Security/OpnSense_Git.md
View file

@ -2,7 +2,7 @@
title: OpnSense - GIT Integration
description: Git Integration
published: true
date: 2026-02-23T21:53:24.522Z
date: 2026-02-23T21:53:15.906Z
tags:
editor: markdown
dateCreated: 2026-02-23T21:48:01.779Z

2
Netgrimoire/Network/Security/OpnSense_Ntfy.md
View file

@ -2,7 +2,7 @@
title: OpnSense - NTFY Integration
description: Security Notifications
published: true
date: 2026-02-23T22:00:46.462Z
date: 2026-02-23T22:00:37.268Z
tags:
editor: markdown
dateCreated: 2026-02-23T22:00:37.268Z

2
Netgrimoire/Network/Security/opnsense_blocklist.md
View file

@ -2,7 +2,7 @@
title: Opnsense - Additional Blocklists
description: Blocklists
published: true
date: 2026-02-23T21:54:13.019Z
date: 2026-02-23T21:54:04.063Z
tags:
editor: markdown
dateCreated: 2026-02-23T21:46:39.562Z

2
Netgrimoire/Nucking-Futz/Scripts/vhs_restoration.md
View file

@ -2,7 +2,7 @@
title: Video Restoration Script
description: Restore VHS Video Captures
published: true
date: 2026-03-06T03:48:12.713Z
date: 2026-03-06T03:48:05.841Z
tags:
editor: markdown
dateCreated: 2026-03-06T03:48:05.841Z

2
Netgrimoire/Nucking-Futz/Services/Stash/Stash-Management.md
View file

@ -2,7 +2,7 @@
title: Stashapp Workflow
description:
published: true
date: 2026-02-20T04:25:56.467Z
date: 2026-02-18T13:08:53.604Z
tags:
editor: markdown
dateCreated: 2026-02-18T13:08:53.604Z

99
Netgrimoire/Pocket/Deployment_Guide.md
View file

@ -2,7 +2,7 @@
title: Pocket Grimoire
description:
published: true
date: 2026-02-26T12:42:50.676Z
date: 2026-02-22T05:00:02.026Z
tags:
editor: markdown
dateCreated: 2026-02-20T04:41:35.122Z
@ -354,23 +354,6 @@ sudo raspi-config
# System Options → Locale → en_US.UTF-8
```
**⚠️ Important: Ubuntu Pi Boot Configuration Note**
Ubuntu on Raspberry Pi uses a different boot config location than Raspberry Pi OS.
The active kernel command line is in:
```
/boot/firmware/current/cmdline.txt
```
**Do NOT edit** `/boot/firmware/cmdline.txt` for kernel parameters — that file is only read during `tryboot` scenarios and is ignored on normal boot.
Any kernel parameters (including USB quirks for drives) must go in `/boot/firmware/current/cmdline.txt` as a single unbroken line.
This is critical for applying USB storage quirks (see Troubleshooting section if you experience drive issues).
---
### 2. Install VeraCrypt (Optional - For Encrypted Container Files)
**VeraCrypt** allows you to mount encrypted container files as virtual drives. This is useful for:
@ -2950,86 +2933,6 @@ sudo syncoid vault/Green/Pocket greenpg/Pocket # if greenpg
**Best practice:** After first import to Pocket, the pool is permanently `greenpg`
### Kanguru UltraLock UAS Errors / Pool Suspended
**Symptoms:**
- ZFS pool repeatedly suspending with `error=5` (EIO)
- dmesg showing `uas_eh_abort_handler` every ~30 seconds
- Pool status shows `SUSPENDED`
- Drive resets cycling: `uas_eh_device_reset_handler start/success` repeating
```
sd 0:0:0:0: [sda] tag#8 uas_eh_abort_handler 0 uas-tag 3 inflight: CMD IN
scsi host0: uas_eh_device_reset_handler start
scsi host0: uas_eh_device_reset_handler success
WARNING: Pool 'greenpg' has encountered an uncorrectable I/O failure and has been suspended.
```
**Root Cause:**
The Kanguru UltraLock (`idVendor=1e1d, idProduct=2001`) uses the UAS driver by default. The Raspberry Pi 4's xhci USB controller has a known incompatibility with UAS on certain drives. The fix is to force the drive to use the `usb-storage` driver instead via a kernel quirk parameter.
**Fix (Ubuntu Pi — permanent):**
```bash
# Edit the correct cmdline file (NOT /boot/firmware/cmdline.txt)
sudo nano /boot/firmware/current/cmdline.txt
```
Add `usb-storage.quirks=1e1d:2001:u` to the end of the existing single line:
```
console=serial0,115200 multipath=off dwc_otg.lpm_enable=0 console=tty1 root=LABEL=writable rootfstype=ext4 panic=10 rootwait fixrtc usb-storage.quirks=1e1d:2001:u
```
```bash
# Verify: should show ONE $ at end, no blank lines
cat -A /boot/firmware/current/cmdline.txt
# Reboot
sudo reboot
```
**Verify fix after reboot:**
```bash
sudo dmesg | grep -i "kanguru\|uas\|usb-storage" | head -10
```
Confirmed working output:
```
usb 2-2: UAS is ignored for this device, using usb-storage instead
usb-storage 2-2:1.0: USB Mass Storage device detected
usb-storage 2-2:1.0: Quirks match for vid 1e1d pid 2001: 800000
scsi host0: usb-storage 2-2:1.0
```
**Recover suspended pool after applying fix:**
```bash
sudo zpool clear greenpg
sudo zfs load-key greenpg/Pocket
sudo zfs mount -a
```
If pool has data errors from before the fix:
```bash
sudo zpool status -v greenpg
sudo zpool scrub greenpg
# If metadata errors remain and can't be repaired, destroy and resync from Netgrimoire
```
**Why `/boot/firmware/cmdline.txt` doesn't work:**
On Ubuntu Pi, `/boot/firmware/config.txt` only reads `cmdline=cmdline.txt` under the `[tryboot]` section. The active boot uses `/boot/firmware/current/cmdline.txt` instead. This differs from Raspberry Pi OS where `/boot/firmware/cmdline.txt` is the correct file.
**Hardware reference:**
- Kanguru UltraLock USB ID: `1e1d:2001`
- Pi 4 USB controller: xhci_hcd (Broadcom BCM2711)
- Issue: xhci + UAS incompatibility on large USB drives
*Fix discovered and documented during greenpg pool troubleshooting, February 2026*
### Docker Containers Not Starting
```bash
# Check if ZFS pools are mounted first

2
Netgrimoire/Pocket/Hardware.md
View file

@ -2,7 +2,7 @@
title: Pocket Grimoire - Hardware
description: Hardware for Pocket Grimoire
published: true
date: 2026-02-20T04:29:06.922Z
date: 2026-02-03T17:22:16.329Z
tags:
editor: markdown
dateCreated: 2026-01-28T23:07:03.685Z

2
Netgrimoire/Pocket/ONN_Media_Streamer.md
View file

@ -2,7 +2,7 @@
title: Stream Box
description: Configure ONN Media Box
published: true
date: 2026-02-20T04:50:44.701Z
date: 2026-02-20T04:50:34.384Z
tags:
editor: markdown
dateCreated: 2026-02-20T04:50:34.384Z

2
Netgrimoire/Pocket/Software.md
View file

@ -2,7 +2,7 @@
title: Pocket Grimoire Software
description:
published: true
date: 2026-02-20T04:30:28.681Z
date: 2026-01-29T04:40:00.733Z
tags:
editor: markdown
dateCreated: 2026-01-29T04:37:33.794Z

2
Netgrimoire/Pocket/Stash_Integration.md
View file

@ -2,7 +2,7 @@
title: Pocket Clips
description: Integrating Stash
published: true
date: 2026-02-22T05:20:31.865Z
date: 2026-02-22T05:20:21.030Z
tags:
editor: markdown
dateCreated: 2026-02-20T04:48:11.191Z

2
Netgrimoire/Service_Document_Template.md
View file

@ -2,7 +2,7 @@
title: Service Documentation Template
description: Describe the service
published: true
date: 2026-02-20T04:24:03.727Z
date: 2026-02-03T02:57:07.462Z
tags:
editor: markdown
dateCreated: 2026-02-03T02:57:07.462Z

2
Netgrimoire/Services/AI/Netgrimoire_Agent.md
View file

@ -2,7 +2,7 @@
title: Ollama with agent
description: The smart home reference
published: true
date: 2026-03-05T02:26:41.506Z
date: 2026-03-05T02:26:34.682Z
tags:
editor: markdown
dateCreated: 2026-02-18T22:14:41.533Z

2
Netgrimoire/Services/AI/Readme.md
View file

@ -2,7 +2,7 @@
title: Readme
description: Readme file generated by AI
published: true
date: 2026-03-05T02:28:03.404Z
date: 2026-03-05T02:27:57.522Z
tags:
editor: markdown
dateCreated: 2026-03-05T02:27:57.522Z

2
Netgrimoire/Services/Immich/Convert_Immich.md
View file

@ -2,7 +2,7 @@
title: Immich on ZFS
description: Moving Immich to its own ZFS dataset
published: true
date: 2026-02-20T04:13:02.502Z
date: 2026-02-06T15:57:04.261Z
tags: service zfs immich dataset
editor: markdown
dateCreated: 2026-02-06T15:57:04.261Z

2
Netgrimoire/Services/MailCow/MXRoute_Integration.md
View file

@ -2,7 +2,7 @@
title: Integrating MXRoute with MailCow
description:
published: true
date: 2026-02-25T21:04:37.135Z
date: 2026-02-25T21:04:26.849Z
tags:
editor: markdown
dateCreated: 2026-02-25T19:22:31.514Z

2
Netgrimoire/Services/MailCow/MailCOw_Install.md
View file

@ -2,7 +2,7 @@
title: Mailcow Dockerized Install and Config
description:
published: true
date: 2026-02-25T21:05:48.256Z
date: 2026-02-25T21:05:38.864Z
tags:
editor: markdown
dateCreated: 2026-02-25T21:05:38.864Z

2
Netgrimoire/Services/MailCow/Mailcow_Hardening.md
View file

@ -2,7 +2,7 @@
title: MailCow Hardening
description: Securing Mailcow
published: true
date: 2026-02-23T21:56:32.211Z
date: 2026-02-23T21:56:22.998Z
tags:
editor: markdown
dateCreated: 2026-02-23T21:56:22.997Z

2
Netgrimoire/Services/MailCow/Mailcow_MXRoute.md
View file

@ -2,7 +2,7 @@
title: Forwarding Mailcow through MXRoute
description: Maintaining reputation
published: true
date: 2026-02-20T04:10:37.730Z
date: 2026-02-15T01:42:12.478Z
tags:
editor: markdown
dateCreated: 2026-02-15T01:42:12.478Z

2
Netgrimoire/Services/MailCow/Sample_Domain_Setup.md
View file

@ -2,7 +2,7 @@
title: Sample Domain Setup
description: Graymutt@nucking-futz.com
published: true
date: 2026-03-16T00:34:08.387Z
date: 2026-03-16T00:34:02.401Z
tags:
editor: markdown
dateCreated: 2026-02-25T22:02:27.719Z

2
Netgrimoire/Services/MailCow/mxroute_mailcow.md
View file

@ -2,7 +2,7 @@
title: Recieving Mail thru MXRoute
description: Trusted receiver
published: true
date: 2026-02-25T17:18:16.273Z
date: 2026-02-25T17:18:07.245Z
tags:
editor: markdown
dateCreated: 2026-02-15T01:44:15.683Z

2
Netgrimoire/Storage/Kopia.md
View file

@ -2,7 +2,7 @@
title: Setting Up Kopia
description:
published: true
date: 2026-02-20T04:27:59.823Z
date: 2026-02-13T17:10:40.442Z
tags:
editor: markdown
dateCreated: 2026-01-23T22:14:17.009Z

2
Netgrimoire/Storage/Storage_Layout.md
View file

@ -2,7 +2,7 @@
title: Netgrimoire Storage
description: Where is it at
published: true
date: 2026-02-23T18:38:27.621Z
date: 2026-02-23T18:38:18.651Z
tags:
editor: markdown
dateCreated: 2026-01-22T21:10:37.035Z

2
Netgrimoire/Storage/ZFS-Commands.md
View file

@ -2,7 +2,7 @@
title: ZFS Common Commands
description: ZFS Commands
published: true
date: 2026-02-20T04:26:23.798Z
date: 2026-02-18T12:38:32.940Z
tags: zfs commands
editor: markdown
dateCreated: 2026-01-31T15:23:07.585Z

2
Netgrimoire/Storage/ZNAS_NFS_Exports.md
View file

@ -2,7 +2,7 @@
title: ZFS-NFS-Exports
description: Exporting NFS shares from ZFS datasets
published: true
date: 2026-02-23T21:58:20.626Z
date: 2026-02-23T21:58:11.949Z
tags:
editor: markdown
dateCreated: 2026-02-01T20:45:40.210Z

355
Netgrimoire/service_Catalog.md
View file

@ -1,355 +0,0 @@
---
title: Netgrimoire Service Catalog
description: Done or soon to be
published: true
date: 2026-03-29T16:05:32.761Z
tags:
editor: markdown
dateCreated: 2026-03-29T16:05:26.168Z
---
# Netgrimoire Service Catalog
> **Living document** — tracks all deployed, configured, and planned services across the Netgrimoire homelab.
> Source of truth: Forgejo repo — `compose/` = Docker Compose per host | `swarm/` = Docker Swarm | `archive/` = not running
>
> Status: ✅ Deployed & Configured | 🔧 Deployed, Needs Config | 📋 Planned | 🔍 Evaluating | ❌ Abandoned/Archived
---
## 🏗️ Infrastructure Overview
| Host | Role | IP | Runtime |
|------|------|----|---------|
| znas | NAS / Primary Swarm node | 192.168.5.10 | Docker Compose + Swarm manager |
| docker2 | VPN gateway host | — | Docker Compose |
| docker3 | LibreNMS host | — | Docker Compose |
| docker4 (hermes) | Mail server host | 192.168.5.16 | Docker Compose |
| docker5 | Media host | 192.168.5.18 | Docker Compose |
| Pi4s / NUCs | Swarm worker nodes | various | Docker Swarm workers |
---
## 📡 Network & Reverse Proxy
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | OPNsense | Firewall appliance | — | Firewall / Dual-WAN / NAT | ATT igc1 primary; 5 static IPs allocated; legacy WAN retiring |
| 🔧 | Caddy (new) | znas / Swarm | — | Reverse proxy — CrowdSec edition | `serfriz/caddy-crowdsec-geoip-ratelimit-security-dockerproxy`; migration in progress; `caddy.yaml` |
| ✅ | Caddy (legacy) | znas / Swarm | — | Reverse proxy | `lucaslorentz/caddy-docker-proxy`; `caddy-1.yaml` |
| ✅ | Authentik | znas / Swarm | — | SSO / IdP | Protects `*.netgrimoire.com` services |
| ✅ | Authelia | znas / Swarm | — | SSO / IdP | Protects `*.wasted-bandwidth.net` services |
| ✅ | WireGuard | OPNsense | — | VPN | Peers: Obie (.2), pncfishandmore (.3), GLNet (.4/.6), PortaPotty (.5) — 192.168.32.0/24 |
| ✅ | OpenVPN | OPNsense | — | VPN | Configured alongside WireGuard |
| ✅ | Gluetun | docker2 / Compose | — | VPN gateway container | PIA VPN; Jackett + Transmission share `network_mode: container:gluetun` |
| ✅ | Internal DNS | 192.168.5.7 | dns.netgrimoire.com | Internal name resolution | Technitium DNS; behind Authentik |
| ✅ | LLDAP | znas / Swarm | ldap.netgrimoire.com | Lightweight LDAP directory | `lldap/lldap:stable` + postgres; user management backend |
| 📋 | dnscrypt-proxy | TBD | — | Encrypted upstream DNS | Pending install |
| 📋 | Suricata | OPNsense | — | IDS/IPS | Pending config |
| 📋 | Zenarmor | OPNsense | — | Deep packet inspection (free tier) | Pending install |
| 📋 | os-git-backup | OPNsense | — | OPNsense config backup to git | Pending install |
---
## 🔒 Security
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | CrowdSec | OPNsense + Swarm | — | Threat intelligence / IP blocking | OPNsense bouncer active; Caddy bouncer in progress |
| ✅ | Vaultwarden | znas / Swarm | pass.netgrimoire.com | Password manager | `vaultwarden/server` |
| 🔧 | CrowdSec Caddy Bouncer | znas / Swarm | — | HTTP-level blocking | Gradual rollout via `caddy.import=crowdsec` label per service |
| 🔧 | OPNsense Spamhaus + GeoIP | OPNsense | — | IP blocklist / geo-blocking | Currently DISABLED — needs fixing |
| 📋 | YubiKey PIV (SSH) | All hosts | — | Smartcard SSH authentication | Highest-impact pending integration |
| 📋 | YubiKey Challenge-Response | znas | — | LUKS / Kopia key derivation | Planned |
---
## 📧 Email
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | MailCow | docker4 / Compose | mail.netgrimoire.com + all domains | Self-hosted mail server | hermes.netgrimoire.com; MXRoute inbound filter + outbound relay for all 8 domains |
| ✅ | Roundcube | docker4 / Swarm | — | Webmail | SSL peer verify disabled for internal dovecot; SRS catch-all aliases configured |
| ✅ | MXRoute | External | — | Inbound filter + outbound relay | Two DKIM selectors: `mailcow` + `mxroute` |
| 📋 | Dedicated ATT_Mail IP | OPNsense | — | Separate static IP for mail traffic | Assignment still pending |
**Domains:** netgrimoire.com · pncharris.com · nucking-futz.com · wasted-bandwidth.net · florosafd.org · gnarlypandaproductions.com · pncfishandmore.com · pncharrisenterprises.com
---
## 🎬 Media — Video
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | Jellyfin | docker5 / Compose | — | Media server | Port 8096; VAAPI via `/dev/dri`; dedicated static IP 107.133.34.147 |
| ✅ | Jellyfinx | docker5 / Compose | — | Green Door media server | Port 7096; separate instance; Green + AfterDark library mounts |
| ✅ | Sonarr | znas / Swarm | — | TV show downloader | `linuxserver/sonarr` |
| ✅ | Radarr | znas / Swarm | — | Movie downloader | `linuxserver/radarr` |
| ✅ | Bazarr | znas / Swarm | bazarr.netgrimoire.com | Subtitle management | `linuxserver/bazarr` |
| ✅ | Tunarr | znas / Swarm | — | IPTV channel creation | `chrisbenincasa/tunarr`; ErsatzTV replacement (ErsatzTV archived Feb 2026) |
| ✅ | JellySeerr | znas / Swarm | requests.netgrimoire.com | Media request management | `fallenbagel/jellyseerr` |
| ✅ | JellyStat | znas / Swarm | — | Jellyfin usage statistics | `cyfershepard/jellystat` + postgres |
| ✅ | TinyMediaManager | znas / Swarm | tmm.netgrimoire.com | Media metadata manager | `tinymediamanager/tinymediamanager` |
| ✅ | Pinchflat | znas / Swarm | pinchflat.netgrimoire.com | YouTube channel downloader | `kieraneglin/pinchflat` |
| 📋 | MeTube | TBD | — | YouTube downloader | Needed for Tunarr period-accurate filler sourcing workflow |
| 🔍 | Wizarr | TBD | — | Jellyfin user onboarding | Evaluating |
---
## 🎵 Media — Audio
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | Lidarr | znas / Swarm | — | Music downloader | (Caddy label not found in yaml — likely static Caddyfile entry) |
| ✅ | Beets | znas / Swarm | beets.netgrimoire.com | Music library tagging | `linuxserver/beets` |
| 🔍 | Navidrome | TBD | — | Music streaming server | Lightweight Subsonic-compatible |
| 🔍 | Soularr | TBD | — | Soulseek integration for Lidarr | Strongly recommended; fills gaps Usenet/torrents miss |
| 🔍 | Tubifarry | TBD | — | Spotify playlists → YouTube → Lidarr | https://github.com/TypNull/Tubifarry |
---
## 📚 Media — Books & Comics
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | Calibre | znas / Compose | calibre.netgrimoire.com | Ebook library management | `linuxserver/calibre`; port 7070; behind Authentik; requires `seccomp=unconfined` (Compose-only) |
| ✅ | Calibre-Web Automated | znas / Swarm | books.netgrimoire.com · books.pncharris.com | Web UI + auto-import | `crocodilestick/calibre-web-automated`; dual-domain Caddy label |
| ✅ | Calibre-Web (library) | znas / Swarm | — | Secondary Calibre-Web instance | `linuxserver/calibre-web`; hostname `calibre-netgrimoire`; `library.yaml` |
| ✅ | Readarr | znas / Swarm | — | Book downloader | Using `blampe/rreading-glasses` image |
| 📋 | Mylar | znas / Swarm | — | Comic book downloader | Not currently running; needs setup soon. Reference `archive/arr.yaml` for old config |
| ✅ | Kavita | znas / Swarm | kavita.netgrimoire.com | Ebook/comic reader | `jvmilazz0/kavita` |
| ✅ | Comixed | znas / Swarm | comics.netgrimoire.com | Comic library server | `comixed/comixed` |
| ✅ | FreshRSS | znas / Swarm | rss.netgrimoire.com | RSS aggregator | `linuxserver/freshrss` |
| 🔍 | Komga | TBD | — | Comic/manga server | Evaluating vs Kavita/Comixed |
| 🔍 | MyAnonaMouse | TBD | — | Private ebook tracker | Worth investigating |
---
## 📥 Download Stack
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | NZBGet | znas / Swarm | — | Usenet download manager | `linuxserver/nzbget` |
| ✅ | SABnzbd | znas / Swarm | — | Usenet download manager | `linuxserver/sabnzbd` |
| ✅ | NZBHydra | znas / Swarm | hydra.netgrimoire.com | Usenet indexer aggregator | `linuxserver/nzbhydra2:dev`; altHUB, NZBGeek, Drunken Slug, Usenet Crawler, DogNZB |
| ✅ | Jackett | docker2 / Compose | jackett.netgrimoire.com | Torrent indexer | Runs inside Gluetun network; behind Authentik |
| ✅ | Transmission | docker2 / Compose | — | Torrent client | `network_mode: container:gluetun`; shares Gluetun VPN |
| ✅ | Recyclarr | znas / Swarm | — | Sonarr/Radarr quality profile sync | `recyclarr/recyclarr` |
| ✅ | Profilarr | znas / Swarm | profilarr.netgrimoire.com | Quality profile management | `santiagosayshey/profilarr` |
| ✅ | Configarr | znas / Swarm | configarr.netgrimoire.com | Arr config management | `raydak-labs/configarr` |
| 📋 | Prowlarr | TBD | — | Unified indexer manager | Low priority — light torrent usage; NZBHydra covers current needs |
---
## 🤖 AI & Automation (Gremlin Stack)
> All pinned to `znas` node on Docker Swarm via `swarm/ollama.yaml`.
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | Ollama | znas / Swarm | — | Local LLM inference | CPU-only (Ryzen); 3B14B models |
| ✅ | Open WebUI | znas / Swarm | — | Chat interface for Ollama | `ghcr.io/open-webui/open-webui` |
| ✅ | Qdrant | znas / Swarm | — | Vector database for RAG | Wiki.js / markdown doc search |
| ✅ | n8n | znas / Swarm | — | Workflow automation | Forgejo webhook → doc gen, compose validation, alert triage |
| 🔍 | Perplexica | TBD | — | Self-hosted AI search | https://github.com/ItzCrazyKns/Perplexica |
---
## ☁️ Files, Notes & Personal Apps
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | Nextcloud AIO | znas / Compose | cloud.netgrimoire.com | File sync / cloud storage | `nextcloud/all-in-one`; data at `/srv/NextCloud-AIO`; Caddy → port 11000 |
| ✅ | Immich | znas / Compose | immich.netgrimoire.com | Photo management | Port 2283; Postgres dump + Kopia backup; external photo + Nextcloud mounts |
| ✅ | Joplin Server | znas / Swarm | joplin.netgrimoire.com | Note sync server | `joplin/server` + postgres; Homepage widget configured |
| ✅ | Vikunja | znas / Swarm | task.netgrimoire.com | Task management | `vikunja/vikunja` + MariaDB |
| ✅ | Linkding | znas / Swarm | link.netgrimoire.com | Bookmark manager | `sissbruecker/linkding:1.13.0` |
| ✅ | Mealie | znas / Swarm | recipe.netgrimoire.com | Recipe manager | `ghcr.io/mealie-recipes/mealie` |
| ✅ | Wallos | znas / Swarm | expense.netgrimoire.com | Subscription / expense tracker | `bellamy/wallos` |
| ✅ | DailyTxT | znas / Swarm | — | Encrypted diary | `phitux/dailytxt:2.x.x` |
| ✅ | Bigcapital | docker5 / Compose | accounts.netgrimoire.com | Accounting / invoicing | Static Caddyfile entry; `{{upstreams}}` doesn't work for Compose stacks |
| ✅ | Scanopy | znas / Swarm | scn.netgrimoire.com | Document scanner | `ghcr.io/scanopy/scanopy` (server + daemon) + postgres |
| ✅ | Glance | znas / Swarm | home.netgrimoire.com | Alternative dashboard | `glanceapp/glance` |
| 📋 | Memos | TBD | — | Self-hosted journaling | Preferred journal addition (alongside Joplin for notes) |
| 🔍 | Wallabag | TBD | — | Read-it-later / article saving | |
| 🔍 | Fluid Calendar | TBD | — | Self-hosted calendar | https://github.com/dotnetfactory/fluid-calendar |
| 🔍 | Firefly III | TBD | — | Personal finance / budgeting | |
| 🔍 | Stirling-PDF | TBD | — | PDF editor / tools | |
| 🔍 | Excalidraw | TBD | — | Collaborative whiteboard | |
| 🔍 | Baikal | TBD | — | CalDAV / CardDAV sync | https://sabre.io/baikal/ |
---
## 📝 Documentation & Dev
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | Wiki.js | znas / Swarm | wiki.netgrimoire.com | Documentation wiki | `requarks/wiki:2` + postgres; Grimoire theme; Forgejo git backend |
| ✅ | Draw.io | znas / Swarm | draw.netgrimoire.com | Diagramming | `jgraph/drawio`; co-deployed in `wiki.yaml` |
| ✅ | Forgejo | znas / Swarm | git.netgrimoire.com | Self-hosted Git | `codeberg.org/forgejo/forgejo:11`; source of truth for Wiki.js + Gremlin |
| ✅ | Forgejo Runner | znas / Swarm | — | CI/CD | `data.forgejo.org/forgejo/runner:4.0.0`; `gitrunner.yaml` |
| ✅ | VS Code Server | znas / Swarm | code.netgrimoire.com | Web-based IDE | `linuxserver/code-server` |
| ✅ | Webtop (ubuntu-kde) | znas / Compose | webtop.netgrimoire.com | Browser-based desktop | Software rendering via llvmpipe; behind Authentik |
| ✅ | Firefox (container) | znas / Swarm | firefox.netgrimoire.com | Containerized browser | `jlesage/firefox` |
---
## 📊 Monitoring & Observability
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | Uptime Kuma | znas / Swarm | — | Service uptime monitoring | `louislam/uptime-kuma:1` |
| ✅ | AutoKuma | znas / Swarm | — | Auto-create Kuma monitors from labels | `ghcr.io/bigboot/autokuma`; co-deployed in `kuma.yaml` |
| ✅ | Beszel | znas / Swarm | — | Docker resource monitoring | `henrygd/beszel` hub + agents on all nodes |
| ✅ | DIUN | znas / Swarm | — | Docker image update notifications | `crazymax/diun`; label-based per-service |
| ✅ | ntfy | znas / Swarm | ntfy.netgrimoire.com | Push notifications | `binwiederhier/ntfy`; OPNsense alerts via CrowdSec HTTP plugin |
| ✅ | Dozzle | znas / Swarm | dozzle.netgrimoire.com | Real-time container logs | `amir20/dozzle`; behind Authentik |
| ✅ | Scrutiny | znas / Compose | scrutiny.netgrimoire.com | Disk S.M.A.R.T. monitoring | `analogj/scrutiny:master-omnibus`; monitors /dev/sdasdg; behind Authentik |
| ✅ | Glances | znas / Compose | — | Real-time system stats | `nicolargo/glances`; `network_mode: host`; co-deployed in `monitor.yaml` |
| ✅ | Graylog | docker4 / Compose | log.netgrimoire.com | Log aggregation | Graylog 6.0 + MongoDB 5 + DataNode (OpenSearch); compose-only (noted in file) |
| ✅ | LibreNMS | docker3 / Compose | nms.netgrimoire.com | Network/SNMP monitoring | Full stack: librenms + dispatcher + syslog-ng + snmptrapd + MariaDB + Redis; port 8000 |
| ✅ | Homelable | znas / Compose | — | Infrastructure visualizer | Frontend + Backend via GHCR; MCP deferred (requires build from source) |
| ✅ | phpIPAM | znas / Swarm | ipam.netgrimoire.com | IP address management | `phpipam/phpipam-www` + cron + MariaDB |
| ✅ | Homepage | znas / Swarm | — | Primary dashboard | `ghcr.io/gethomepage/homepage` |
| ✅ | Glance | znas / Swarm | home.netgrimoire.com | Alternative dashboard | `glanceapp/glance` |
| ✅ | Dockpeek | znas / Swarm | dockpeek.netgrimoire.com | Container inspector | `dockpeek/dockpeek` |
| ✅ | Loki + Promtail + Grafana | znas / Swarm | — | Metrics/log stack | `logging.yaml`; Grafana 10.4.2 + Loki 2.9.3 + Promtail 2.9.3 |
| ✅ | phpMyAdmin + phpPgAdmin | znas / Swarm | — | DB admin UIs | `SQL-mgmt.yaml` |
| ✅ | pgAdmin | znas / Swarm | — | Postgres admin | `dpage/pgadmin4`; `database.yaml` |
| 🔍 | WatchYourLAN | TBD | — | Network device tracker | https://github.com/aceberg/WatchYourLAN |
| 🔍 | NUT UPS | TBD | — | UPS power management | https://hub.docker.com/r/instantlinux/nut-upsd |
| 🔍 | OliveTin | TBD | — | Web button → shell command | Run commands from web UI |
| 🔍 | Swarm Dashboard | TBD | — | Docker Swarm visualizer | https://github.com/mohsenasm/swarm-dashboard |
---
## 💾 Storage & Backup
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | OpenZFS (ZNAS) | znas | — | Primary storage | ~94TB raw, two RAIDZ1 VDEVs; vault pool |
| ✅ | NFSv4 | znas | — | Shared storage for Swarm | Loopback NFS at `/data/nfs/znas`; ZFS must fully mount before NFS starts |
| ✅ | Kopia (primary vault) | znas / Swarm | kopia.netgrimoire.com | Primary backup repo | `kopia.yaml`; dedup + replication |
| ✅ | Kopia (offsite vault) | znas / Swarm | vault.netgrimoire.com | Offsite replication server | `vault.yaml`; port 51516; separate dataset → ZFS raw send to Pi vaults |
| ✅ | syncoid | znas | — | ZFS replication | Syncs vault/Green/Pocket → Pocket Grimoire |
| ✅ | Nextcloud AIO BorgBackup | znas | — | Nextcloud-native backup | Local snapshots before Kopia |
| ✅ | Czkawka | znas / Swarm | dupes.netgrimoire.com | Duplicate file finder | `jlesage/czkawka` |
| ✅ | Cloud Commander | znas / Swarm | — | Web file manager | `coderaiser/cloudcmd`; **two instances** (`cloudcmd.yaml` + `commander.yaml`) — verify if intentional |
| ✅ | File Browser | znas / Swarm | — | Web file manager | `filebrowser/filebrowser` |
| 🔍 | Manyfold | TBD | — | 3D print model collector | https://github.com/manyfold3d/manyfold |
---
## 🖥️ Management & Remote Access
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | Portainer | znas / Swarm | docker.netgrimoire.com | Container management UI | `portainer/portainer-ce:2.33.6` + agents on all nodes |
| ✅ | ISPConfig | 192.168.4.11 | — | Web/DNS hosting control panel | |
| ✅ | Cockpit | All hosts | win.netgrimoire.com | Linux server management | Caddy → `192.168.5.10:8006` |
| ✅ | Termix | znas / Swarm | termix.netgrimoire.com | Web-based terminal | `ghcr.io/lukegus/termix` |
| ✅ | DumbTerm | znas / Swarm | — | Simple web terminal | `dockwareio/dumbterm` |
| ✅ | Windows 7 (VM) | znas / Compose | — | Windows VM | `dockurr/windows`; `windows7.yaml` |
| 🔍 | Guacamole | TBD | — | Remote desktop gateway | Previously tried as `nxterm` — in archive |
| 🔍 | SSHwifty | TBD | — | SSH web client | In archive; reconsidering |
---
## 🎭 Green Door (Adult Content)
> Protected behind Authelia (`*.wasted-bandwidth.net`)
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | Whisparr | znas / Swarm | — | Adult content downloader | `ghcr.io/hotio/whisparr` |
| ✅ | Namer | znas / Compose | namer.wasted-bandwidth.net | Scene file namer | `theporndatabase/namer`; port 6980; data → `/data/nfs/Baxter/Green/` |
| ✅ | Stash (main) | znas / Compose | stash.wasted-bandwidth.net | Adult content library | `stashapp/stash`; port 9999 |
| ✅ | PocketStash | znas / Compose | — | Stash for Pocket Grimoire | Separate instance; port 9998; data → `/export/Green/Pocket/`; `pocketstash.yaml` |
---
## 🌐 Web Hosting
| Status | App | Host / Runtime | URL | Purpose | Notes |
|--------|-----|----------------|-----|---------|-------|
| ✅ | Apache/PHP web | znas / Swarm | fish.pncharris.com · www.wasted-bandwidth.net | Static/PHP web hosting | `php:8.2-apache`; `web.yaml`; replicas: 1 |
---
## 📦 Archive (Not Currently Running)
> Files in `archive/` — previously evaluated or deployed, not currently active.
| App | File | Notes |
|-----|------|-------|
| Plex | `plex.yaml` | Replaced by Jellyfin |
| Komodo | `komodo.yaml` | Container management platform — evaluated, not deployed |
| cAdvisor | `cadvisor.yaml` | Container metrics — not deployed |
| Peekaping | `peekaping.yaml` | Uptime monitor — Kuma preferred |
| WatchState | `WatchState.yaml` | Jellyfin/Plex watch state sync |
| Nessus | `nessus.yaml` | Vulnerability scanner — evaluated |
| NxTerm | `nxterm.yaml` | Guacamole-style remote desktop — evaluated |
| SSHwifty | `sshwifty.yaml` | SSH web client — evaluated |
| Wordpress Classifieds | `wordpress-classifieds.yaml` | Not deployed |
| Cal (calendar?) | `cal.yaml` | Evaluated |
| CrowdSec (standalone) | `crowdsec.yaml` | Merged into Caddy stack |
| Arr stack | `arr.yaml` | Old consolidated arr compose — superseded by individual yamls |
| Caddyfile.old | `Caddyfile.old` | Legacy Caddyfile |
---
## 🗃️ Ideas Backlog
| App | Category | Notes |
|-----|----------|-------|
| Soularr | Audio | Soulseek for Lidarr; strongly recommended |
| Tubifarry | Audio | Spotify → YouTube → Lidarr |
| MeTube | Video | YouTube downloader for Tunarr filler |
| Memos | Journal | Preferred self-hosted journal pick |
| Wallabag | Reading | Read-it-later |
| Firefly III | Finance | Budgeting |
| Baikal | PIM | CalDAV/CardDAV |
| Fluid Calendar | PIM | https://github.com/dotnetfactory/fluid-calendar |
| Perplexica | AI | Self-hosted AI search |
| WatchYourLAN | Network | Device tracker |
| OliveTin | Automation | Web UI → shell commands |
| Swarm Dashboard | Monitoring | Swarm-aware visualizer |
| ContainerNursery | Automation | On-demand container start/stop |
| NUT UPS | Power | UPS management |
| Wire-pod for Vector | IoT | Anki Vector local server |
| Kindle reuse | IoT | Repurpose Kindle as weather/info display |
| Collectarr | Media | https://github.com/RiffSphere/Collectarr |
| SuggestArr | Media | Automated media recommendations |
| Recommendarr | Media | AI media recommendations |
| Manyfold | 3D Print | Model library |
| OrcaSlicer | 3D Print | Slicer web UI |
| Memos / Journiv | Journal | Self-hosted journaling (Memos preferred) |
| Romm | Gaming | ROM library manager |
| EmulatorJS | Gaming | Browser-based emulation |
---
## 🔑 Key Architecture Decisions & Gotchas
> Reference these before deploying or modifying services.
- **MailCow network isolation:** Only `nginx-mailcow` on the `netgrimoire` overlay. All other containers stay on internal bridge. Mixing causes PHP-FPM → Redis DNS conflicts.
- **caddy-docker-proxy + static Caddyfile conflict:** Never manage the same hostname via both Docker labels AND a static block. Pick one method exclusively per service.
- **`{{upstreams}}` is Swarm-only:** Does not work for Docker Compose stacks. Use static Caddyfile with container name or pinned IP.
- **Docker Compose `ports: []` override:** Does not nullify ports from base file. Remap to unused host ports instead.
- **Graylog is Compose-only:** The `graylog.yaml` file explicitly notes this — do not attempt to run it in Swarm.
- **Calibre requires `seccomp=unconfined`:** Necessary for the desktop app container; incompatible with Swarm mode — must remain in `compose/znas/`.
- **Kopia repos not ZFS-separable:** Use separate repositories with independent retention (`kopia.yaml` vs `vault.yaml`) rather than trying to separate at the ZFS snapshot level.
- **ZFS encryption:** In-place encryption impossible. Use rsync migration + `-w` flag for raw send to Pi vaults (no key needed on vault side).
- **SRS rewrite:** All domains using MXRoute inbound forwarding require catch-all aliases in MailCow to prevent `reject_unlisted_sender` rejections.
- **Docker Swarm DNS caching:** Use `endpoint_mode: dnsrr` for internal services; VIP only for published-port services.
- **NFS boot ordering on znas:** ZFS must fully mount before NFS starts — systemd override required (`After=zfs-import.target zfs-mount.service`). Loopback NFS mount needs `x-systemd.after=nfs-server.service` in fstab.
- **Wiki.js angle brackets:** `<value>` placeholders cause rendering hangs. Use `VALUE` or backtick format instead.
- **bcrypt in `.env`:** Wrap full hash in single quotes to preserve leading `$`.
- **Webtop GPU rendering:** Requires `LIBGL_ALWAYS_SOFTWARE=1` + `GALLIUM_DRIVER=llvmpipe`; remove `devices:/dev/dri` mapping.
- **Cloud Commander duplication:** Two nearly identical `coderaiser/cloudcmd` stacks exist (`cloudcmd.yaml` + `commander.yaml`) — verify if intentional or a duplicate to clean up.
- **Lidarr missing Caddy label:** Lidarr yaml has no caddy label — either routed via static Caddyfile or not yet exposed. Confirm and standardize.
---
*Last updated: March 2026 | Source: Forgejo repo git archive*

2
Work/C9300GX-Port_Breakout.md
View file

@ -2,7 +2,7 @@
title: Nexus Upgrade port Breakout
description:
published: true
date: 2026-02-20T19:24:28.054Z
date: 2026-02-20T19:24:19.622Z
tags:
editor: markdown
dateCreated: 2026-02-19T20:55:53.800Z

2
Work/C9300GX_2_Build.md
View file

@ -2,7 +2,7 @@
title: C9300GX Initial Build
description:
published: true
date: 2026-02-19T20:54:08.096Z
date: 2026-02-19T20:53:59.281Z
tags:
editor: markdown
dateCreated: 2026-02-19T20:50:41.541Z

899
Work/Cisco/NTP_ESS9300.md
View file

@ -1,899 +0,0 @@
---
title: ESS9300 NTP
description:
published: true
date: 2026-03-31T21:25:14.679Z
tags:
editor: markdown
dateCreated: 2026-03-31T21:25:08.700Z
---
# Cisco ESS 9300 (IE-9300) NTP Configuration and Troubleshooting Guide
## Overview
This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Catalyst ESS 9300 (IE-9300) industrial Ethernet switch running IOS-XE. Accurate time synchronization is critical for logging, AAA, certificates, syslog correlation, and distributed system troubleshooting.
---
## NTP Configuration
### Basic NTP Server Configuration
```cisco
configure terminal
! Configure NTP servers (use multiple servers for redundancy)
ntp server 10.1.1.10 prefer
ntp server 10.1.1.11
ntp server 192.0.2.1
! Configure NTP source interface (optional but recommended)
ntp source GigabitEthernet1/1
! Alternatively, use management interface if configured
! ntp source GigabitEthernet0/0
! Set timezone (adjust to your location)
clock timezone EST -5 0
! Configure daylight saving time (if applicable)
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
! Save configuration
end
write memory
```
### NTP Authentication (Recommended for Production)
```cisco
configure terminal
! Enable NTP authentication
ntp authenticate
! Create authentication keys (key ID 1-65535)
ntp authentication-key 1 md5 YourSecureKey123
ntp authentication-key 2 md5 AnotherSecureKey456
! Specify trusted keys
ntp trusted-key 1
ntp trusted-key 2
! Apply authentication to NTP servers
ntp server 10.1.1.10 prefer key 1
ntp server 10.1.1.11 key 2
end
write memory
```
### NTP Access Control (Security Best Practice)
```cisco
configure terminal
! Define access control for NTP
! peer: Allow time sync from these sources
! serve: Respond to time requests from these sources
! serve-only: Respond to requests but don't sync from them
! query-only: Allow status queries only
ntp access-group peer 10
ntp access-group serve 20
ntp access-group query-only 30
! Create access lists
access-list 10 remark NTP Peers - Allow sync
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 20 remark NTP Serve - Respond to requests
access-list 20 permit 10.0.0.0 0.255.255.255
access-list 30 remark NTP Query - Status queries only
access-list 30 permit 192.168.0.0 0.0.255.255
end
write memory
```
### NTP Master Configuration (Switch as Time Source)
```cisco
configure terminal
! Configure switch as NTP master (stratum level)
! Only use if external NTP servers are unavailable
ntp master 8
! This makes the switch authoritative at stratum 8
! Lower stratum = higher priority (1 is highest, typically atomic clocks)
! Use stratum 8-15 for internal masters
end
write memory
```
### Advanced NTP Configuration
```cisco
configure terminal
! Update calendar from NTP (hardware clock sync)
ntp update-calendar
! Disable NTP on specific interfaces (if needed)
interface GigabitEthernet1/10
ntp disable
exit
! Configure NTP broadcast (server mode)
interface GigabitEthernet1/1
ntp broadcast
exit
! Configure NTP broadcast client (client mode)
interface GigabitEthernet1/2
ntp broadcast client
exit
! Configure NTP logging
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
end
write memory
```
---
## Verification Commands
### Check NTP Status
```cisco
! Show NTP status summary
show ntp status
! Expected output when synchronized:
! Clock is synchronized, stratum 3, reference is 10.1.1.10
! nominal freq is 250.0000 Hz, actual freq is 250.0008 Hz, precision is 2**10
! ntp uptime is 86400 (1/100 of seconds), resolution is 4016
! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024)
! clock offset is -0.5234 msec, root delay is 12.34 msec
! root dispersion is 45.67 msec, peer dispersion is 1.23 msec
! loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000008234 s/s
! system poll interval is 64, last update was 25 sec ago
```
### Check NTP Associations
```cisco
! Show all NTP associations (peers)
show ntp associations
! Detailed view
show ntp associations detail
! Column descriptions:
! * = synchronized, + = candidate, # = selected, - = outlier
! address: NTP server address
! ref clock: reference source of the server
! st: stratum level
! when: last packet received (seconds)
! poll: polling interval (seconds)
! reach: reachability (377 octal = all 8 attempts successful)
! delay: round-trip delay (ms)
! offset: time difference (ms)
! disp: dispersion/jitter (ms)
```
### Check Clock and Time
```cisco
! Display current time
show clock
! Display detailed clock information
show clock detail
! Show calendar (hardware clock)
show calendar
```
### Check NTP Configuration
```cisco
! Show all NTP configuration
show ntp config
! Show running NTP configuration
show running-config | include ntp
show running-config | include clock
```
### Check NTP Authentication
```cisco
! Show authentication keys (hashed)
show ntp authentication-keys
! Show authentication status
show ntp status | include authentication
```
---
## Common Configuration Examples
### Example 1: Industrial Network Configuration
```cisco
configure terminal
! Use site NTP servers
ntp server 10.100.1.10 prefer
ntp server 10.100.1.11
ntp server 10.100.1.12
! Use primary uplink as source
ntp source GigabitEthernet1/1
! Central Standard Time
clock timezone CST -6 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
! Sync hardware clock
ntp update-calendar
! Enable timestamps
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
end
write memory
```
### Example 2: Secure Configuration with Authentication
```cisco
configure terminal
! Enable NTP authentication
ntp authenticate
ntp authentication-key 10 md5 Ind_NTP_K3y_2024
ntp trusted-key 10
! Configure authenticated servers
ntp server 10.100.1.10 prefer key 10
ntp server 10.100.1.11 key 10
! Access control
ntp access-group peer 10
ntp access-group query-only 30
access-list 10 remark NTP Peers
access-list 10 permit 10.100.1.0 0.0.0.255
access-list 30 remark NTP Query
access-list 30 permit 10.100.0.0 0.0.255.255
! Source and timezone
ntp source GigabitEthernet1/1
clock timezone CST -6 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ntp update-calendar
service timestamps log datetime msec localtime show-timezone
end
write memory
```
### Example 3: Redundant Time Source with Fallback
```cisco
configure terminal
! Primary NTP servers
ntp server 10.100.1.10 prefer
ntp server 10.100.1.11
! Fallback to public NTP if internal servers fail
ntp server 129.6.15.28
ntp server 132.163.96.1
! Use as master only if all external sources fail
ntp master 10
ntp source GigabitEthernet1/1
clock timezone EST -5 0
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ntp update-calendar
end
write memory
```
---
## Troubleshooting Guide
### Issue: NTP Not Synchronizing
**Symptoms:**
- `show ntp status` shows "Clock is unsynchronized"
- No asterisk (*) appears in `show ntp associations`
- "unsynchronized" appears in status output
**Troubleshooting Steps:**
1. **Verify NTP servers are configured:**
```cisco
show running-config | include ntp server
```
2. **Check network connectivity to NTP servers:**
```cisco
ping 10.1.1.10
ping 10.1.1.10 source GigabitEthernet1/1
traceroute 10.1.1.10
```
3. **Verify NTP packets are being exchanged:**
```cisco
show ntp associations detail
! Check 'reach' value - should be 377 (octal) = all attempts successful
! Check 'when' value - should be recent (< poll interval)
```
4. **Check for authentication mismatches:**
```cisco
show ntp status
! Look for authentication errors
debug ntp all
! Watch for authentication failures
undebug all
```
5. **Verify access lists aren't blocking NTP:**
```cisco
show access-lists
! NTP uses UDP port 123
! Verify ACLs allow UDP 123 traffic
```
6. **Check for large time offset:**
```cisco
show ntp associations detail
! If offset > 1000 seconds, manually set clock first
clock set 14:30:00 15 January 2024
```
7. **Verify source interface is up:**
```cisco
show ip interface brief | include GigabitEthernet1/1
! Source interface must be up/up
```
### Issue: High Offset or Jitter
**Symptoms:**
- Time drifts significantly
- High offset values in `show ntp associations`
- Inconsistent time across devices
**Troubleshooting Steps:**
1. **Check network latency and stability:**
```cisco
ping 10.1.1.10 repeat 100
! Look for:
! - Packet loss (should be 0%)
! - High round-trip time (> 100ms problematic)
! - Variable latency (jitter)
```
2. **Verify stratum levels:**
```cisco
show ntp associations
! Stratum (st) should be:
! - < 10 for reliable servers
! - Lower is better (1 = atomic clock, 2 = GPS)
! - Your switch should be stratum +1 from source
```
3. **Increase number of NTP servers:**
```cisco
! Use at least 3 servers for best accuracy
! NTP uses voting algorithm to select best time source
configure terminal
ntp server 10.1.1.12
ntp server 10.1.1.13
```
4. **Check upstream NTP server health:**
```cisco
show ntp associations detail
! Verify servers show:
! - condition = 'sys.peer' or 'candidate'
! - reach = 377
! - Low dispersion (disp)
```
5. **Monitor polling interval:**
```cisco
show ntp associations
! Poll interval should stabilize at 64-1024 seconds
! Frequent changes indicate instability
```
### Issue: Authentication Failures
**Symptoms:**
- Peers show as unreachable despite network connectivity
- NTP status shows authentication errors
- Reach value remains 0
**Troubleshooting Steps:**
1. **Verify authentication is enabled:**
```cisco
show ntp status | include authentication
! Should show: "authentication enabled"
```
2. **Check authentication keys are configured:**
```cisco
show ntp authentication-keys
! Verify key IDs exist
```
3. **Verify trusted keys:**
```cisco
show running-config | include ntp trusted-key
! Keys must be marked as trusted
```
4. **Confirm server configuration uses correct key:**
```cisco
show running-config | include ntp server
! Verify key ID matches trusted key
```
5. **Debug authentication:**
```cisco
debug ntp authentication
debug ntp validity
! Watch for authentication failures
! Look for key mismatches
undebug all
```
6. **Temporarily disable authentication to test:**
```cisco
configure terminal
no ntp authenticate
! Test if synchronization works without auth
! Then re-enable:
ntp authenticate
```
### Issue: Time Correct but Timezone Wrong
**Symptoms:**
- NTP shows synchronized
- Time is off by exact number of hours
- Logs show incorrect time
**Troubleshooting Steps:**
1. **Verify timezone configuration:**
```cisco
show running-config | include clock timezone
! Ensure timezone offset is correct for your location
```
2. **Check daylight saving time:**
```cisco
show clock detail
! Verify DST rules are correct
! Look for summer-time configuration
```
3. **Reconfigure timezone if needed:**
```cisco
configure terminal
clock timezone EST -5 0
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
```
4. **Verify timestamps in logs:**
```cisco
show running-config | include service timestamps
! Should include 'localtime' and 'show-timezone'
```
### Issue: Hardware Clock Not Updating
**Symptoms:**
- `show clock` shows correct time
- `show calendar` shows old time
- Time resets after reload
**Troubleshooting Steps:**
1. **Verify update-calendar is configured:**
```cisco
show running-config | include ntp update-calendar
```
2. **Manually update calendar:**
```cisco
ntp update-calendar
! Or manually:
clock update-calendar
```
3. **Check calendar after sync:**
```cisco
show calendar
show clock
! Should match within a few seconds
```
4. **Configure automatic update:**
```cisco
configure terminal
ntp update-calendar
end
write memory
```
### Issue: NTP Works but Stops After Time
**Symptoms:**
- NTP synchronizes initially
- Loses sync after hours/days
- Reach value degrades over time
**Troubleshooting Steps:**
1. **Check for network instability:**
```cisco
show ntp associations detail
! Monitor 'reach' value over time
! Should remain at 377
```
2. **Verify interface stability:**
```cisco
show interface GigabitEthernet1/1
! Check for errors, resets, or flapping
```
3. **Check for routing changes:**
```cisco
show ip route 10.1.1.10
! Verify consistent route to NTP server
```
4. **Monitor NTP server health:**
```cisco
! Check if NTP server itself is stable
show ntp associations detail
! Look for increasing dispersion
```
5. **Check for memory or CPU issues:**
```cisco
show processes cpu sorted
show processes memory sorted
! High CPU or memory can affect NTP
```
---
## Best Practices
### Redundancy
- Configure at least **3 NTP servers** for optimal accuracy and fault tolerance
- Use diverse network paths to NTP servers when possible
- Consider geographic diversity for enterprise deployments
- Use both on-site and off-site NTP sources
### Security
- **Always use NTP authentication** in production industrial environments
- Implement access control lists to restrict NTP access
- Use MD5 authentication keys with strong passwords
- Regularly rotate authentication keys (annually recommended)
- Monitor for NTP-based attacks (amplification, spoofing)
### Performance
- Use `prefer` keyword on the most reliable/accurate server
- Choose NTP servers with low stratum (2-4 is ideal for enterprise)
- Select geographically close servers to minimize latency
- Avoid using stratum 1 servers directly (use stratum 2 instead)
- Ensure stable network path to NTP servers
### Industrial Environment Considerations
- Account for temperature variations in industrial settings
- Use ruggedized NTP appliances in harsh environments
- Consider GPS-based NTP servers for isolated sites
- Implement redundant time sources for critical applications
- Test NTP resilience during network outages
### Maintenance
- Regularly verify NTP synchronization status (daily)
- Monitor offset and jitter values (weekly)
- Review NTP logs for anomalies
- Update authentication keys periodically
- Document your NTP server hierarchy
- Test failover scenarios
### Time Initialization
- When first configuring, manually set clock to within 1000 seconds
- NTP will refuse to sync if initial offset is too large
- Use `clock set` command before enabling NTP on new switches
- Allow 10-15 minutes for initial synchronization
- Monitor stabilization with `show ntp associations`
---
## Monitoring and Logging
### Regular Health Checks
```cisco
! Daily verification
show ntp status | include Clock
show ntp associations | include "\*"
! Weekly detailed check
show ntp associations detail
show clock detail
! Check for errors
show logging | include NTP
```
### Enable SNMP Monitoring
```cisco
configure terminal
! Enable SNMP for NTP monitoring
snmp-server enable traps ntp
! Configure SNMP trap receiver
snmp-server host 10.1.1.100 version 2c YourCommunity
end
write memory
```
### Syslog Monitoring
```cisco
configure terminal
! Configure syslog server
logging host 10.1.1.50
! Set logging level
logging trap informational
! Enable timestamps
service timestamps log datetime msec localtime show-timezone
end
write memory
```
### EEM Script for NTP Monitoring
```cisco
configure terminal
! Create EEM applet to monitor NTP
event manager applet NTP-Monitor
event timer watchdog time 300
action 1.0 cli command "enable"
action 2.0 cli command "show ntp status | include Clock"
action 3.0 regexp "unsynchronized" "$_cli_result"
action 4.0 if $_regexp_result eq 1
action 4.1 syslog msg "NTP ALERT: Clock is unsynchronized"
action 4.2 cli command "show ntp associations"
action 5.0 end
end
write memory
```
---
## Debug Commands
### NTP Debugging
```cisco
! Enable NTP debugging (use with caution in production)
debug ntp all
debug ntp authentication
debug ntp events
debug ntp packets
debug ntp validity
! Disable debugging
undebug all
! Or
no debug all
```
### Conditional Debugging
```cisco
! Debug specific NTP server
debug ntp packets 10.1.1.10
! View debug output
terminal monitor
! Then enable debugging
```
**Warning:** Debugging can generate significant CPU load. Use sparingly in production and disable when troubleshooting is complete.
---
## Quick Reference Commands
| Command | Purpose |
|---------|---------|
| `show ntp status` | Display synchronization status |
| `show ntp associations` | List all NTP peers and sync status |
| `show ntp associations detail` | Detailed peer statistics |
| `show clock` | Current system time |
| `show clock detail` | Time with timezone and DST info |
| `show calendar` | Hardware clock time |
| `show running-config \| include ntp` | Display NTP configuration |
| `show running-config \| include clock` | Display time configuration |
| `show ntp authentication-keys` | List configured auth keys |
| `ntp update-calendar` | Sync hardware clock from system |
| `clock update-calendar` | Alternative calendar sync |
| `clock set HH:MM:SS DD Month YYYY` | Manually set system time |
---
## IOS-XE Specific Features
### NTP Broadcast
The ESS 9300 running IOS-XE supports NTP broadcast mode:
```cisco
! Server sends periodic broadcasts
interface GigabitEthernet1/1
ntp broadcast
exit
! Client receives broadcasts
interface GigabitEthernet1/2
ntp broadcast client
exit
```
### NTP Multicast
```cisco
! Server sends to multicast group
interface GigabitEthernet1/1
ntp multicast 224.0.1.1
exit
! Client receives multicast
interface GigabitEthernet1/2
ntp multicast client 224.0.1.1
exit
```
### IPv6 NTP Support
```cisco
configure terminal
! IPv6 NTP server
ntp server 2001:db8::10 prefer
! IPv6 source interface
ntp source Vlan100
end
write memory
```
---
## Appendix: Public NTP Servers
### NIST (US Government)
- `129.6.15.28` - NIST, Gaithersburg, Maryland
- `129.6.15.29` - NIST, Gaithersburg, Maryland
- `132.163.96.1` - NIST, Boulder, Colorado
- `132.163.96.2` - NIST, Boulder, Colorado
### US Naval Observatory
- `192.5.41.40` - tick.usno.navy.mil
- `192.5.41.41` - tock.usno.navy.mil
### NTP Pool Project
- `0.pool.ntp.org`
- `1.pool.ntp.org`
- `2.pool.ntp.org`
- `3.pool.ntp.org`
### Regional Pools
- `0.north-america.pool.ntp.org`
- `0.us.pool.ntp.org`
**Note:** For production industrial use, deploy internal GPS-synchronized NTP servers rather than having all devices query public servers directly. This improves reliability, reduces external dependencies, and provides better time accuracy.
---
## Integration with Industrial Protocols
### PTP (Precision Time Protocol) Coexistence
The ESS 9300 supports both NTP and PTP (IEEE 1588). Best practices:
- Use **PTP for sub-microsecond precision** (automation, motion control)
- Use **NTP for general timekeeping** (logging, AAA, management)
- Keep NTP and PTP on separate VLANs if possible
- Use NTP for non-critical devices
- Reserve PTP for time-critical industrial applications
### Synchronization with PLCs and SCADA
```cisco
! Configure NTP to serve time to industrial devices
configure terminal
ntp master 3
ntp source GigabitEthernet1/1
! Allow SCADA network to query time
ntp access-group serve 20
access-list 20 permit 10.50.0.0 0.0.255.255
end
write memory
```
---
## Differences from Nexus NX-OS
Key differences when coming from Nexus switches:
| Feature | Nexus (NX-OS) | ESS 9300 (IOS-XE) |
|---------|---------------|-------------------|
| VRF syntax | `use-vrf management` | Not required (use `source` instead) |
| Feature enable | `feature ntp` | Not required (built-in) |
| Calendar sync | N/A | `ntp update-calendar` |
| Save config | `copy run start` | `write memory` or `copy run start` |
| Auth key type | MD5 with type 7 | MD5 (auto-encrypted) |
| Interface naming | `mgmt0` | `GigabitEthernet0/0` |
---
## Document Information
**Target Platform:** Cisco Catalyst ESS 9300 (IE-9300)
**Operating System:** IOS-XE
**IOS-XE Versions:** 17.x
**Last Updated:** March 2026
**Document Purpose:** Configuration reference and troubleshooting guide for industrial Ethernet environments
For Cisco IOS-XE command reference, consult the official Cisco documentation for your specific software version.

518
Work/Cisco/Nexus_NTP.md
View file

@ -1,518 +0,0 @@
---
title: NTP Deep dive on the Nexus
description: Config and troubleshoot
published: true
date: 2026-03-31T20:46:08.474Z
tags:
editor: markdown
dateCreated: 2026-03-31T20:45:58.287Z
---
# Cisco Nexus 93180 NTP Configuration and Troubleshooting Guide
## Overview
This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Nexus 93180 switch running NX-OS. Accurate time synchronization is critical for logging, AAA, certificates, and distributed system correlation.
---
## NTP Configuration
### Basic NTP Server Configuration
configure terminal
! Enable NTP feature (if not already enabled)
feature ntp
! Configure NTP servers (use multiple servers for redundancy)
ntp server 10.1.1.10 prefer use-vrf management
ntp server 10.1.1.11 use-vrf management
ntp server 192.0.2.1 use-vrf default
! Configure NTP source interface (optional but recommended)
ntp source-interface mgmt0
! Set timezone (adjust to your location)
clock timezone EST -5 0
! Configure daylight saving time (if applicable)
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
! Save configuration
copy running-config startup-config
### NTP Authentication (Recommended for Production)
configure terminal
! Enable NTP authentication
ntp authenticate
! Create authentication keys
ntp authentication-key 1 md5 YourSecureKey123 7
ntp authentication-key 2 md5 AnotherSecureKey456 7
! Specify trusted keys
ntp trusted-key 1
ntp trusted-key 2
! Apply authentication to NTP servers
ntp server 10.1.1.10 prefer use-vrf management key 1
ntp server 10.1.1.11 use-vrf management key 2
copy running-config startup-config
### NTP Access Control (Security Best Practice)
configure terminal
! Define access control for NTP
! peer: Allow sync and queries
! serve: Respond to queries only
! serve-only: Respond to queries but don't sync
! query-only: Allow queries only
ntp access-group peer PeerACL
ntp access-group serve ServeACL
ntp access-group query-only QueryACL
! Create ACLs
ip access-list NTP-Peers
10 permit ip 10.1.1.0/24 any
20 deny ip any any
ip access-list NTP-Serve
10 permit ip 10.0.0.0/8 any
20 deny ip any any
copy running-config startup-config
### NTP Master Configuration (Switch as Time Source)
configure terminal
! Configure switch as NTP master (stratum level)
! Only use if external NTP servers are unavailable
ntp master 8
! This makes the switch authoritative at stratum 8
! Lower stratum = higher priority (1 is highest)
copy running-config startup-config
### Logging NTP Events
configure terminal
! Enable logging for NTP
ntp logging
! Adjust logging level if needed
logging level ntp 6
copy running-config startup-config
---
## Verification Commands
### Check NTP Status
! Show NTP status summary
show ntp status
! Expected output when synchronized:
! Clock is synchronized, stratum 3, reference is 10.1.1.10
! nominal freq is 250.0000 Hz, actual freq is 250.0010 Hz, precision is 2**18
! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024)
! clock offset is -0.0023 msec, root delay is 12.34 msec
! root dispersion is 45.67 msec, peer dispersion is 1.23 msec
### Check NTP Peers
! Show all NTP peers and their status
show ntp peers
! Column descriptions:
! * = synchronized, + = candidate, # = selected
! remote: NTP server address
! ref clock: reference source of the server
! st: stratum level
! when: last packet received (seconds)
! poll: polling interval
! reach: reachability (377 = all 8 attempts successful)
! delay: round-trip delay (ms)
! offset: time difference (ms)
! jitter: dispersion (ms)
### Check NTP Statistics
! Show detailed peer statistics
show ntp peer-status
! Show specific peer details
show ntp peer 10.1.1.10
### Check NTP Authentication
! Verify authentication keys
show ntp authentication-keys
! Check authentication status
show ntp authentication-status
### Check Time Configuration
! Display current clock settings
show clock detail
! Show timezone configuration
show running-config | include clock
---
## Common Configuration Examples
### Example 1: Enterprise Configuration with Multiple Servers
configure terminal
feature ntp
! Use company NTP servers in management VRF
ntp server 10.10.1.10 prefer use-vrf management
ntp server 10.10.1.11 use-vrf management
ntp server 10.10.1.12 use-vrf management
! Use public NTP as backup in default VRF
ntp server 129.6.15.28 use-vrf default
ntp server 132.163.96.1 use-vrf default
ntp source-interface mgmt0
clock timezone EST -5 0
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
ntp logging
copy running-config startup-config
### Example 2: Secure Configuration with Authentication
configure terminal
feature ntp
ntp authenticate
ntp authentication-key 10 md5 Pr0d_NTP_K3y_2024 7
ntp trusted-key 10
ntp server 10.10.1.10 prefer use-vrf management key 10
ntp server 10.10.1.11 use-vrf management key 10
ntp access-group peer NTP-PEERS
ip access-list NTP-PEERS
10 permit ip 10.10.1.0/24 any
20 deny ip any any log
ntp source-interface mgmt0
ntp logging
clock timezone EST -5 0
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
copy running-config startup-config
---
## Troubleshooting Guide
### Issue: NTP Not Synchronizing
**Symptoms:**
- `show ntp status` shows "Clock is unsynchronized"
- No asterisk (*) appears in `show ntp peers`
**Troubleshooting Steps:**
1. **Verify NTP feature is enabled:**
show feature | include ntp
! If disabled:
configure terminal
feature ntp
2. **Check network connectivity to NTP servers:**
ping 10.1.1.10 vrf management
traceroute 10.1.1.10 vrf management
3. **Verify NTP packets are being exchanged:**
show ntp peer-status
! Check 'reach' column - should be 377 (binary 11111111)
! Check 'when' column - should be recent (< poll interval)
4. **Check for authentication mismatches:**
show ntp authentication-status
! Verify keys match between switch and server
5. **Verify correct VRF is configured:**
show running-config | include "ntp server"
! Ensure use-vrf matches your management connectivity
6. **Check firewall/ACL blocking UDP port 123:**
! NTP uses UDP port 123
show ip access-lists
7. **Verify time offset isn't too large:**
! If offset > 1000 seconds, NTP may refuse to sync
! Manually set clock closer to correct time:
clock set 14:30:00 15 January 2024
### Issue: High Offset or Jitter
**Symptoms:**
- Time drifts significantly
- High offset values in `show ntp peers`
**Troubleshooting Steps:**
1. **Check network latency:**
ping 10.1.1.10 vrf management repeat 100
! Look for packet loss and high/variable latency
2. **Verify stratum levels:**
```cisco
show ntp peers
! Stratum should be < 10 for reliable servers
! Lower stratum = more accurate
```
3. **Increase number of NTP servers:**
```cisco
! Use at least 3 servers for best accuracy
! NTP uses voting algorithm with multiple sources
```
4. **Check for upstream NTP issues:**
```cisco
show ntp peer-status
! Verify your NTP servers are synchronized
```
### Issue: Authentication Failures
**Symptoms:**
- Peers show as unreachable despite network connectivity
- Authentication errors in logs
**Troubleshooting Steps:**
1. **Verify authentication is configured on both ends:**
```cisco
show ntp authentication-status
```
2. **Check key ID and values match:**
```cisco
show ntp authentication-keys
! Key number and MD5 hash must match server
```
3. **Verify trusted keys are configured:**
```cisco
show running-config | include "ntp trusted-key"
```
4. **Temporarily disable authentication to test:**
```cisco
configure terminal
no ntp authenticate
! Test connectivity
! Re-enable after testing:
ntp authenticate
```
### Issue: NTP Working but Time Still Wrong
**Symptoms:**
- `show ntp status` shows synchronized
- Clock shows incorrect time
**Troubleshooting Steps:**
1. **Verify timezone configuration:**
```cisco
show running-config | include clock
! Ensure timezone matches your location
```
2. **Check daylight saving time settings:**
```cisco
show clock detail
! Verify DST is configured if applicable
```
3. **Confirm NTP server time is correct:**
```cisco
show ntp peers
! Check offset - should be small (< 100ms typically)
```
### Issue: Cannot Add NTP Server
**Symptoms:**
- Configuration commands rejected
- "Invalid VRF" error
**Troubleshooting Steps:**
1. **Verify VRF exists:**
```cisco
show vrf
! Common VRFs: management, default
```
2. **Check if management interface is configured:**
```cisco
show running-config interface mgmt0
! Ensure IP address and VRF are configured
```
3. **Verify source interface exists:**
```cisco
show interface mgmt0 brief
```
---
## Best Practices
### Redundancy
- Configure at least **3 NTP servers** for optimal accuracy and redundancy
- Use diverse network paths to NTP servers when possible
- Consider using both internal and external NTP sources
### Security
- **Always use NTP authentication** in production environments
- Implement access control lists to limit NTP queries
- Use `use-vrf management` to isolate NTP traffic
- Monitor NTP logs for unusual activity
### Performance
- Use `prefer` keyword on the most reliable/accurate server
- Choose NTP servers with low stratum (2-4 is ideal)
- Select geographically close servers to minimize latency
- Avoid using stratum 1 servers directly (use stratum 2)
### Maintenance
- Regularly verify NTP synchronization status
- Monitor offset and jitter values
- Update authentication keys periodically
- Document your NTP server hierarchy
### Time Initialization
- When first configuring, manually set clock to within 1000 seconds of actual time
- NTP will refuse to sync if offset is too large initially
- Use `clock set` command before enabling NTP on new switches
---
## Monitoring and Logging
### Regular Health Checks
```cisco
! Daily verification
show ntp status | include "Clock is"
show ntp peers | include "\*"
! Weekly detailed check
show ntp peer-status
show clock detail
```
### Enable SNMP Monitoring
```cisco
configure terminal
! Enable SNMP for NTP monitoring
snmp-server enable traps ntp
! Configure SNMP trap receiver
snmp-server host 10.1.1.100 traps version 2c YourCommunity
copy running-config startup-config
```
### Syslog Monitoring
```cisco
configure terminal
! Ensure NTP logging is enabled
ntp logging
! Configure syslog server
logging server 10.1.1.50 6 use-vrf management
! Set appropriate logging level
logging level ntp 6
copy running-config startup-config
```
---
## Quick Reference Commands
| Command | Purpose |
|---------|---------|
| `show ntp status` | Display synchronization status |
| `show ntp peers` | List all NTP peers and sync status |
| `show ntp peer-status` | Detailed peer statistics |
| `show clock detail` | Current time and configuration |
| `show feature \| include ntp` | Verify NTP feature enabled |
| `show running-config \| include ntp` | Display NTP configuration |
| `show ntp authentication-keys` | List configured auth keys |
| `clear ntp statistics` | Reset NTP statistics |
---
## Appendix: Public NTP Servers
### NIST (US Government)
- `129.6.15.28` - NIST, Gaithersburg, Maryland
- `132.163.96.1` - NIST, Boulder, Colorado
### US Naval Observatory
- `192.5.41.40` - tick.usno.navy.mil
- `192.5.41.41` - tock.usno.navy.mil
### NTP Pool Project
- `0.pool.ntp.org`
- `1.pool.ntp.org`
- `2.pool.ntp.org`
- `3.pool.ntp.org`
**Note:** For production use, deploy internal NTP servers synchronized to external sources rather than having all infrastructure devices query public servers directly.
---
## Document Information
**Target Platform:** Cisco Nexus 93180
**NX-OS Versions:** 7.x, 9.x, 10.x
**Last Updated:** March 2026
**Document Purpose:** Configuration reference and troubleshooting guide
For Cisco NX-OS command reference, consult the official Cisco documentation for your specific software version.

2
Work/Ducky/ess9300_upgrade.md
View file

@ -2,7 +2,7 @@
title: Voyager SW10GG Upgrade
description: Cisco ESS 9300
published: true
date: 2026-03-19T15:24:41.320Z
date: 2026-03-19T15:24:35.613Z
tags:
editor: markdown
dateCreated: 2026-03-19T15:24:35.613Z

2
Work/Ducky/ess_3300.md
View file

@ -2,7 +2,7 @@
title: Voyager SW26G Upgrade
description: Cisco ESS 3300 Upgrade
published: true
date: 2026-03-19T15:46:20.810Z
date: 2026-03-19T15:46:15.200Z
tags:
editor: markdown
dateCreated: 2026-03-19T15:46:15.200Z

2
Work/Nexus-upgrade.md
View file

@ -2,7 +2,7 @@
title: Nexus Upgrade
description:
published: true
date: 2026-02-19T20:37:41.384Z
date: 2026-02-19T20:37:32.957Z
tags:
editor: markdown
dateCreated: 2026-02-19T20:37:32.957Z

2
Work/Nexus_1_Build.md
View file

@ -2,7 +2,7 @@
title: C9300GX-1 Build
description:
published: true
date: 2026-02-19T20:47:10.482Z
date: 2026-02-19T20:46:00.149Z
tags:
editor: markdown
dateCreated: 2026-02-19T20:45:10.926Z

2
home.md
View file

@ -2,7 +2,7 @@
title: Netgrimoire
description:
published: true
date: 2026-02-25T21:48:26.231Z
date: 2026-02-25T21:48:20.699Z
tags:
editor: markdown
dateCreated: 2026-01-21T13:19:48.685Z

BIN
netgrimoire_gremlin.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 2.2 MiB