--- title: ESS9300 NTP description: published: true date: 2026-03-31T21:25:14.679Z tags: editor: markdown dateCreated: 2026-03-31T21:25:08.700Z --- # Cisco ESS 9300 (IE-9300) NTP Configuration and Troubleshooting Guide ## Overview This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Catalyst ESS 9300 (IE-9300) industrial Ethernet switch running IOS-XE. Accurate time synchronization is critical for logging, AAA, certificates, syslog correlation, and distributed system troubleshooting. --- ## NTP Configuration ### Basic NTP Server Configuration ```cisco configure terminal ! Configure NTP servers (use multiple servers for redundancy) ntp server 10.1.1.10 prefer ntp server 10.1.1.11 ntp server 192.0.2.1 ! Configure NTP source interface (optional but recommended) ntp source GigabitEthernet1/1 ! Alternatively, use management interface if configured ! ntp source GigabitEthernet0/0 ! Set timezone (adjust to your location) clock timezone EST -5 0 ! Configure daylight saving time (if applicable) clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 ! Save configuration end write memory ``` ### NTP Authentication (Recommended for Production) ```cisco configure terminal ! Enable NTP authentication ntp authenticate ! Create authentication keys (key ID 1-65535) ntp authentication-key 1 md5 YourSecureKey123 ntp authentication-key 2 md5 AnotherSecureKey456 ! Specify trusted keys ntp trusted-key 1 ntp trusted-key 2 ! Apply authentication to NTP servers ntp server 10.1.1.10 prefer key 1 ntp server 10.1.1.11 key 2 end write memory ``` ### NTP Access Control (Security Best Practice) ```cisco configure terminal ! Define access control for NTP ! peer: Allow time sync from these sources ! serve: Respond to time requests from these sources ! serve-only: Respond to requests but don't sync from them ! query-only: Allow status queries only ntp access-group peer 10 ntp access-group serve 20 ntp access-group query-only 30 ! Create access lists access-list 10 remark NTP Peers - Allow sync access-list 10 permit 10.1.1.0 0.0.0.255 access-list 20 remark NTP Serve - Respond to requests access-list 20 permit 10.0.0.0 0.255.255.255 access-list 30 remark NTP Query - Status queries only access-list 30 permit 192.168.0.0 0.0.255.255 end write memory ``` ### NTP Master Configuration (Switch as Time Source) ```cisco configure terminal ! Configure switch as NTP master (stratum level) ! Only use if external NTP servers are unavailable ntp master 8 ! This makes the switch authoritative at stratum 8 ! Lower stratum = higher priority (1 is highest, typically atomic clocks) ! Use stratum 8-15 for internal masters end write memory ``` ### Advanced NTP Configuration ```cisco configure terminal ! Update calendar from NTP (hardware clock sync) ntp update-calendar ! Disable NTP on specific interfaces (if needed) interface GigabitEthernet1/10 ntp disable exit ! Configure NTP broadcast (server mode) interface GigabitEthernet1/1 ntp broadcast exit ! Configure NTP broadcast client (client mode) interface GigabitEthernet1/2 ntp broadcast client exit ! Configure NTP logging service timestamps log datetime msec localtime show-timezone service timestamps debug datetime msec localtime show-timezone end write memory ``` --- ## Verification Commands ### Check NTP Status ```cisco ! Show NTP status summary show ntp status ! Expected output when synchronized: ! Clock is synchronized, stratum 3, reference is 10.1.1.10 ! nominal freq is 250.0000 Hz, actual freq is 250.0008 Hz, precision is 2**10 ! ntp uptime is 86400 (1/100 of seconds), resolution is 4016 ! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024) ! clock offset is -0.5234 msec, root delay is 12.34 msec ! root dispersion is 45.67 msec, peer dispersion is 1.23 msec ! loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000008234 s/s ! system poll interval is 64, last update was 25 sec ago ``` ### Check NTP Associations ```cisco ! Show all NTP associations (peers) show ntp associations ! Detailed view show ntp associations detail ! Column descriptions: ! * = synchronized, + = candidate, # = selected, - = outlier ! address: NTP server address ! ref clock: reference source of the server ! st: stratum level ! when: last packet received (seconds) ! poll: polling interval (seconds) ! reach: reachability (377 octal = all 8 attempts successful) ! delay: round-trip delay (ms) ! offset: time difference (ms) ! disp: dispersion/jitter (ms) ``` ### Check Clock and Time ```cisco ! Display current time show clock ! Display detailed clock information show clock detail ! Show calendar (hardware clock) show calendar ``` ### Check NTP Configuration ```cisco ! Show all NTP configuration show ntp config ! Show running NTP configuration show running-config | include ntp show running-config | include clock ``` ### Check NTP Authentication ```cisco ! Show authentication keys (hashed) show ntp authentication-keys ! Show authentication status show ntp status | include authentication ``` --- ## Common Configuration Examples ### Example 1: Industrial Network Configuration ```cisco configure terminal ! Use site NTP servers ntp server 10.100.1.10 prefer ntp server 10.100.1.11 ntp server 10.100.1.12 ! Use primary uplink as source ntp source GigabitEthernet1/1 ! Central Standard Time clock timezone CST -6 0 clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 ! Sync hardware clock ntp update-calendar ! Enable timestamps service timestamps log datetime msec localtime show-timezone service timestamps debug datetime msec localtime show-timezone end write memory ``` ### Example 2: Secure Configuration with Authentication ```cisco configure terminal ! Enable NTP authentication ntp authenticate ntp authentication-key 10 md5 Ind_NTP_K3y_2024 ntp trusted-key 10 ! Configure authenticated servers ntp server 10.100.1.10 prefer key 10 ntp server 10.100.1.11 key 10 ! Access control ntp access-group peer 10 ntp access-group query-only 30 access-list 10 remark NTP Peers access-list 10 permit 10.100.1.0 0.0.0.255 access-list 30 remark NTP Query access-list 30 permit 10.100.0.0 0.0.255.255 ! Source and timezone ntp source GigabitEthernet1/1 clock timezone CST -6 0 clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 ntp update-calendar service timestamps log datetime msec localtime show-timezone end write memory ``` ### Example 3: Redundant Time Source with Fallback ```cisco configure terminal ! Primary NTP servers ntp server 10.100.1.10 prefer ntp server 10.100.1.11 ! Fallback to public NTP if internal servers fail ntp server 129.6.15.28 ntp server 132.163.96.1 ! Use as master only if all external sources fail ntp master 10 ntp source GigabitEthernet1/1 clock timezone EST -5 0 clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 ntp update-calendar end write memory ``` --- ## Troubleshooting Guide ### Issue: NTP Not Synchronizing **Symptoms:** - `show ntp status` shows "Clock is unsynchronized" - No asterisk (*) appears in `show ntp associations` - "unsynchronized" appears in status output **Troubleshooting Steps:** 1. **Verify NTP servers are configured:** ```cisco show running-config | include ntp server ``` 2. **Check network connectivity to NTP servers:** ```cisco ping 10.1.1.10 ping 10.1.1.10 source GigabitEthernet1/1 traceroute 10.1.1.10 ``` 3. **Verify NTP packets are being exchanged:** ```cisco show ntp associations detail ! Check 'reach' value - should be 377 (octal) = all attempts successful ! Check 'when' value - should be recent (< poll interval) ``` 4. **Check for authentication mismatches:** ```cisco show ntp status ! Look for authentication errors debug ntp all ! Watch for authentication failures undebug all ``` 5. **Verify access lists aren't blocking NTP:** ```cisco show access-lists ! NTP uses UDP port 123 ! Verify ACLs allow UDP 123 traffic ``` 6. **Check for large time offset:** ```cisco show ntp associations detail ! If offset > 1000 seconds, manually set clock first clock set 14:30:00 15 January 2024 ``` 7. **Verify source interface is up:** ```cisco show ip interface brief | include GigabitEthernet1/1 ! Source interface must be up/up ``` ### Issue: High Offset or Jitter **Symptoms:** - Time drifts significantly - High offset values in `show ntp associations` - Inconsistent time across devices **Troubleshooting Steps:** 1. **Check network latency and stability:** ```cisco ping 10.1.1.10 repeat 100 ! Look for: ! - Packet loss (should be 0%) ! - High round-trip time (> 100ms problematic) ! - Variable latency (jitter) ``` 2. **Verify stratum levels:** ```cisco show ntp associations ! Stratum (st) should be: ! - < 10 for reliable servers ! - Lower is better (1 = atomic clock, 2 = GPS) ! - Your switch should be stratum +1 from source ``` 3. **Increase number of NTP servers:** ```cisco ! Use at least 3 servers for best accuracy ! NTP uses voting algorithm to select best time source configure terminal ntp server 10.1.1.12 ntp server 10.1.1.13 ``` 4. **Check upstream NTP server health:** ```cisco show ntp associations detail ! Verify servers show: ! - condition = 'sys.peer' or 'candidate' ! - reach = 377 ! - Low dispersion (disp) ``` 5. **Monitor polling interval:** ```cisco show ntp associations ! Poll interval should stabilize at 64-1024 seconds ! Frequent changes indicate instability ``` ### Issue: Authentication Failures **Symptoms:** - Peers show as unreachable despite network connectivity - NTP status shows authentication errors - Reach value remains 0 **Troubleshooting Steps:** 1. **Verify authentication is enabled:** ```cisco show ntp status | include authentication ! Should show: "authentication enabled" ``` 2. **Check authentication keys are configured:** ```cisco show ntp authentication-keys ! Verify key IDs exist ``` 3. **Verify trusted keys:** ```cisco show running-config | include ntp trusted-key ! Keys must be marked as trusted ``` 4. **Confirm server configuration uses correct key:** ```cisco show running-config | include ntp server ! Verify key ID matches trusted key ``` 5. **Debug authentication:** ```cisco debug ntp authentication debug ntp validity ! Watch for authentication failures ! Look for key mismatches undebug all ``` 6. **Temporarily disable authentication to test:** ```cisco configure terminal no ntp authenticate ! Test if synchronization works without auth ! Then re-enable: ntp authenticate ``` ### Issue: Time Correct but Timezone Wrong **Symptoms:** - NTP shows synchronized - Time is off by exact number of hours - Logs show incorrect time **Troubleshooting Steps:** 1. **Verify timezone configuration:** ```cisco show running-config | include clock timezone ! Ensure timezone offset is correct for your location ``` 2. **Check daylight saving time:** ```cisco show clock detail ! Verify DST rules are correct ! Look for summer-time configuration ``` 3. **Reconfigure timezone if needed:** ```cisco configure terminal clock timezone EST -5 0 clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 ``` 4. **Verify timestamps in logs:** ```cisco show running-config | include service timestamps ! Should include 'localtime' and 'show-timezone' ``` ### Issue: Hardware Clock Not Updating **Symptoms:** - `show clock` shows correct time - `show calendar` shows old time - Time resets after reload **Troubleshooting Steps:** 1. **Verify update-calendar is configured:** ```cisco show running-config | include ntp update-calendar ``` 2. **Manually update calendar:** ```cisco ntp update-calendar ! Or manually: clock update-calendar ``` 3. **Check calendar after sync:** ```cisco show calendar show clock ! Should match within a few seconds ``` 4. **Configure automatic update:** ```cisco configure terminal ntp update-calendar end write memory ``` ### Issue: NTP Works but Stops After Time **Symptoms:** - NTP synchronizes initially - Loses sync after hours/days - Reach value degrades over time **Troubleshooting Steps:** 1. **Check for network instability:** ```cisco show ntp associations detail ! Monitor 'reach' value over time ! Should remain at 377 ``` 2. **Verify interface stability:** ```cisco show interface GigabitEthernet1/1 ! Check for errors, resets, or flapping ``` 3. **Check for routing changes:** ```cisco show ip route 10.1.1.10 ! Verify consistent route to NTP server ``` 4. **Monitor NTP server health:** ```cisco ! Check if NTP server itself is stable show ntp associations detail ! Look for increasing dispersion ``` 5. **Check for memory or CPU issues:** ```cisco show processes cpu sorted show processes memory sorted ! High CPU or memory can affect NTP ``` --- ## Best Practices ### Redundancy - Configure at least **3 NTP servers** for optimal accuracy and fault tolerance - Use diverse network paths to NTP servers when possible - Consider geographic diversity for enterprise deployments - Use both on-site and off-site NTP sources ### Security - **Always use NTP authentication** in production industrial environments - Implement access control lists to restrict NTP access - Use MD5 authentication keys with strong passwords - Regularly rotate authentication keys (annually recommended) - Monitor for NTP-based attacks (amplification, spoofing) ### Performance - Use `prefer` keyword on the most reliable/accurate server - Choose NTP servers with low stratum (2-4 is ideal for enterprise) - Select geographically close servers to minimize latency - Avoid using stratum 1 servers directly (use stratum 2 instead) - Ensure stable network path to NTP servers ### Industrial Environment Considerations - Account for temperature variations in industrial settings - Use ruggedized NTP appliances in harsh environments - Consider GPS-based NTP servers for isolated sites - Implement redundant time sources for critical applications - Test NTP resilience during network outages ### Maintenance - Regularly verify NTP synchronization status (daily) - Monitor offset and jitter values (weekly) - Review NTP logs for anomalies - Update authentication keys periodically - Document your NTP server hierarchy - Test failover scenarios ### Time Initialization - When first configuring, manually set clock to within 1000 seconds - NTP will refuse to sync if initial offset is too large - Use `clock set` command before enabling NTP on new switches - Allow 10-15 minutes for initial synchronization - Monitor stabilization with `show ntp associations` --- ## Monitoring and Logging ### Regular Health Checks ```cisco ! Daily verification show ntp status | include Clock show ntp associations | include "\*" ! Weekly detailed check show ntp associations detail show clock detail ! Check for errors show logging | include NTP ``` ### Enable SNMP Monitoring ```cisco configure terminal ! Enable SNMP for NTP monitoring snmp-server enable traps ntp ! Configure SNMP trap receiver snmp-server host 10.1.1.100 version 2c YourCommunity end write memory ``` ### Syslog Monitoring ```cisco configure terminal ! Configure syslog server logging host 10.1.1.50 ! Set logging level logging trap informational ! Enable timestamps service timestamps log datetime msec localtime show-timezone end write memory ``` ### EEM Script for NTP Monitoring ```cisco configure terminal ! Create EEM applet to monitor NTP event manager applet NTP-Monitor event timer watchdog time 300 action 1.0 cli command "enable" action 2.0 cli command "show ntp status | include Clock" action 3.0 regexp "unsynchronized" "$_cli_result" action 4.0 if $_regexp_result eq 1 action 4.1 syslog msg "NTP ALERT: Clock is unsynchronized" action 4.2 cli command "show ntp associations" action 5.0 end end write memory ``` --- ## Debug Commands ### NTP Debugging ```cisco ! Enable NTP debugging (use with caution in production) debug ntp all debug ntp authentication debug ntp events debug ntp packets debug ntp validity ! Disable debugging undebug all ! Or no debug all ``` ### Conditional Debugging ```cisco ! Debug specific NTP server debug ntp packets 10.1.1.10 ! View debug output terminal monitor ! Then enable debugging ``` **Warning:** Debugging can generate significant CPU load. Use sparingly in production and disable when troubleshooting is complete. --- ## Quick Reference Commands | Command | Purpose | |---------|---------| | `show ntp status` | Display synchronization status | | `show ntp associations` | List all NTP peers and sync status | | `show ntp associations detail` | Detailed peer statistics | | `show clock` | Current system time | | `show clock detail` | Time with timezone and DST info | | `show calendar` | Hardware clock time | | `show running-config \| include ntp` | Display NTP configuration | | `show running-config \| include clock` | Display time configuration | | `show ntp authentication-keys` | List configured auth keys | | `ntp update-calendar` | Sync hardware clock from system | | `clock update-calendar` | Alternative calendar sync | | `clock set HH:MM:SS DD Month YYYY` | Manually set system time | --- ## IOS-XE Specific Features ### NTP Broadcast The ESS 9300 running IOS-XE supports NTP broadcast mode: ```cisco ! Server sends periodic broadcasts interface GigabitEthernet1/1 ntp broadcast exit ! Client receives broadcasts interface GigabitEthernet1/2 ntp broadcast client exit ``` ### NTP Multicast ```cisco ! Server sends to multicast group interface GigabitEthernet1/1 ntp multicast 224.0.1.1 exit ! Client receives multicast interface GigabitEthernet1/2 ntp multicast client 224.0.1.1 exit ``` ### IPv6 NTP Support ```cisco configure terminal ! IPv6 NTP server ntp server 2001:db8::10 prefer ! IPv6 source interface ntp source Vlan100 end write memory ``` --- ## Appendix: Public NTP Servers ### NIST (US Government) - `129.6.15.28` - NIST, Gaithersburg, Maryland - `129.6.15.29` - NIST, Gaithersburg, Maryland - `132.163.96.1` - NIST, Boulder, Colorado - `132.163.96.2` - NIST, Boulder, Colorado ### US Naval Observatory - `192.5.41.40` - tick.usno.navy.mil - `192.5.41.41` - tock.usno.navy.mil ### NTP Pool Project - `0.pool.ntp.org` - `1.pool.ntp.org` - `2.pool.ntp.org` - `3.pool.ntp.org` ### Regional Pools - `0.north-america.pool.ntp.org` - `0.us.pool.ntp.org` **Note:** For production industrial use, deploy internal GPS-synchronized NTP servers rather than having all devices query public servers directly. This improves reliability, reduces external dependencies, and provides better time accuracy. --- ## Integration with Industrial Protocols ### PTP (Precision Time Protocol) Coexistence The ESS 9300 supports both NTP and PTP (IEEE 1588). Best practices: - Use **PTP for sub-microsecond precision** (automation, motion control) - Use **NTP for general timekeeping** (logging, AAA, management) - Keep NTP and PTP on separate VLANs if possible - Use NTP for non-critical devices - Reserve PTP for time-critical industrial applications ### Synchronization with PLCs and SCADA ```cisco ! Configure NTP to serve time to industrial devices configure terminal ntp master 3 ntp source GigabitEthernet1/1 ! Allow SCADA network to query time ntp access-group serve 20 access-list 20 permit 10.50.0.0 0.0.255.255 end write memory ``` --- ## Differences from Nexus NX-OS Key differences when coming from Nexus switches: | Feature | Nexus (NX-OS) | ESS 9300 (IOS-XE) | |---------|---------------|-------------------| | VRF syntax | `use-vrf management` | Not required (use `source` instead) | | Feature enable | `feature ntp` | Not required (built-in) | | Calendar sync | N/A | `ntp update-calendar` | | Save config | `copy run start` | `write memory` or `copy run start` | | Auth key type | MD5 with type 7 | MD5 (auto-encrypted) | | Interface naming | `mgmt0` | `GigabitEthernet0/0` | --- ## Document Information **Target Platform:** Cisco Catalyst ESS 9300 (IE-9300) **Operating System:** IOS-XE **IOS-XE Versions:** 17.x **Last Updated:** March 2026 **Document Purpose:** Configuration reference and troubleshooting guide for industrial Ethernet environments For Cisco IOS-XE command reference, consult the official Cisco documentation for your specific software version.