--- title: NTP Deep dive on the Nexus description: Config and troubleshoot published: true date: 2026-03-31T20:46:08.474Z tags: editor: markdown dateCreated: 2026-03-31T20:45:58.287Z --- # Cisco Nexus 93180 NTP Configuration and Troubleshooting Guide ## Overview This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Nexus 93180 switch running NX-OS. Accurate time synchronization is critical for logging, AAA, certificates, and distributed system correlation. --- ## NTP Configuration ### Basic NTP Server Configuration configure terminal ! Enable NTP feature (if not already enabled) feature ntp ! Configure NTP servers (use multiple servers for redundancy) ntp server 10.1.1.10 prefer use-vrf management ntp server 10.1.1.11 use-vrf management ntp server 192.0.2.1 use-vrf default ! Configure NTP source interface (optional but recommended) ntp source-interface mgmt0 ! Set timezone (adjust to your location) clock timezone EST -5 0 ! Configure daylight saving time (if applicable) clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60 ! Save configuration copy running-config startup-config ### NTP Authentication (Recommended for Production) configure terminal ! Enable NTP authentication ntp authenticate ! Create authentication keys ntp authentication-key 1 md5 YourSecureKey123 7 ntp authentication-key 2 md5 AnotherSecureKey456 7 ! Specify trusted keys ntp trusted-key 1 ntp trusted-key 2 ! Apply authentication to NTP servers ntp server 10.1.1.10 prefer use-vrf management key 1 ntp server 10.1.1.11 use-vrf management key 2 copy running-config startup-config ### NTP Access Control (Security Best Practice) configure terminal ! Define access control for NTP ! peer: Allow sync and queries ! serve: Respond to queries only ! serve-only: Respond to queries but don't sync ! query-only: Allow queries only ntp access-group peer PeerACL ntp access-group serve ServeACL ntp access-group query-only QueryACL ! Create ACLs ip access-list NTP-Peers 10 permit ip 10.1.1.0/24 any 20 deny ip any any ip access-list NTP-Serve 10 permit ip 10.0.0.0/8 any 20 deny ip any any copy running-config startup-config ### NTP Master Configuration (Switch as Time Source) configure terminal ! Configure switch as NTP master (stratum level) ! Only use if external NTP servers are unavailable ntp master 8 ! This makes the switch authoritative at stratum 8 ! Lower stratum = higher priority (1 is highest) copy running-config startup-config ### Logging NTP Events configure terminal ! Enable logging for NTP ntp logging ! Adjust logging level if needed logging level ntp 6 copy running-config startup-config --- ## Verification Commands ### Check NTP Status ! Show NTP status summary show ntp status ! Expected output when synchronized: ! Clock is synchronized, stratum 3, reference is 10.1.1.10 ! nominal freq is 250.0000 Hz, actual freq is 250.0010 Hz, precision is 2**18 ! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024) ! clock offset is -0.0023 msec, root delay is 12.34 msec ! root dispersion is 45.67 msec, peer dispersion is 1.23 msec ### Check NTP Peers ! Show all NTP peers and their status show ntp peers ! Column descriptions: ! * = synchronized, + = candidate, # = selected ! remote: NTP server address ! ref clock: reference source of the server ! st: stratum level ! when: last packet received (seconds) ! poll: polling interval ! reach: reachability (377 = all 8 attempts successful) ! delay: round-trip delay (ms) ! offset: time difference (ms) ! jitter: dispersion (ms) ### Check NTP Statistics ! Show detailed peer statistics show ntp peer-status ! Show specific peer details show ntp peer 10.1.1.10 ### Check NTP Authentication ! Verify authentication keys show ntp authentication-keys ! Check authentication status show ntp authentication-status ### Check Time Configuration ! Display current clock settings show clock detail ! Show timezone configuration show running-config | include clock --- ## Common Configuration Examples ### Example 1: Enterprise Configuration with Multiple Servers configure terminal feature ntp ! Use company NTP servers in management VRF ntp server 10.10.1.10 prefer use-vrf management ntp server 10.10.1.11 use-vrf management ntp server 10.10.1.12 use-vrf management ! Use public NTP as backup in default VRF ntp server 129.6.15.28 use-vrf default ntp server 132.163.96.1 use-vrf default ntp source-interface mgmt0 clock timezone EST -5 0 clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60 ntp logging copy running-config startup-config ### Example 2: Secure Configuration with Authentication configure terminal feature ntp ntp authenticate ntp authentication-key 10 md5 Pr0d_NTP_K3y_2024 7 ntp trusted-key 10 ntp server 10.10.1.10 prefer use-vrf management key 10 ntp server 10.10.1.11 use-vrf management key 10 ntp access-group peer NTP-PEERS ip access-list NTP-PEERS 10 permit ip 10.10.1.0/24 any 20 deny ip any any log ntp source-interface mgmt0 ntp logging clock timezone EST -5 0 clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60 copy running-config startup-config --- ## Troubleshooting Guide ### Issue: NTP Not Synchronizing **Symptoms:** - `show ntp status` shows "Clock is unsynchronized" - No asterisk (*) appears in `show ntp peers` **Troubleshooting Steps:** 1. **Verify NTP feature is enabled:** show feature | include ntp ! If disabled: configure terminal feature ntp 2. **Check network connectivity to NTP servers:** ping 10.1.1.10 vrf management traceroute 10.1.1.10 vrf management 3. **Verify NTP packets are being exchanged:** show ntp peer-status ! Check 'reach' column - should be 377 (binary 11111111) ! Check 'when' column - should be recent (< poll interval) 4. **Check for authentication mismatches:** show ntp authentication-status ! Verify keys match between switch and server 5. **Verify correct VRF is configured:** show running-config | include "ntp server" ! Ensure use-vrf matches your management connectivity 6. **Check firewall/ACL blocking UDP port 123:** ! NTP uses UDP port 123 show ip access-lists 7. **Verify time offset isn't too large:** ! If offset > 1000 seconds, NTP may refuse to sync ! Manually set clock closer to correct time: clock set 14:30:00 15 January 2024 ### Issue: High Offset or Jitter **Symptoms:** - Time drifts significantly - High offset values in `show ntp peers` **Troubleshooting Steps:** 1. **Check network latency:** ping 10.1.1.10 vrf management repeat 100 ! Look for packet loss and high/variable latency 2. **Verify stratum levels:** ```cisco show ntp peers ! Stratum should be < 10 for reliable servers ! Lower stratum = more accurate ``` 3. **Increase number of NTP servers:** ```cisco ! Use at least 3 servers for best accuracy ! NTP uses voting algorithm with multiple sources ``` 4. **Check for upstream NTP issues:** ```cisco show ntp peer-status ! Verify your NTP servers are synchronized ``` ### Issue: Authentication Failures **Symptoms:** - Peers show as unreachable despite network connectivity - Authentication errors in logs **Troubleshooting Steps:** 1. **Verify authentication is configured on both ends:** ```cisco show ntp authentication-status ``` 2. **Check key ID and values match:** ```cisco show ntp authentication-keys ! Key number and MD5 hash must match server ``` 3. **Verify trusted keys are configured:** ```cisco show running-config | include "ntp trusted-key" ``` 4. **Temporarily disable authentication to test:** ```cisco configure terminal no ntp authenticate ! Test connectivity ! Re-enable after testing: ntp authenticate ``` ### Issue: NTP Working but Time Still Wrong **Symptoms:** - `show ntp status` shows synchronized - Clock shows incorrect time **Troubleshooting Steps:** 1. **Verify timezone configuration:** ```cisco show running-config | include clock ! Ensure timezone matches your location ``` 2. **Check daylight saving time settings:** ```cisco show clock detail ! Verify DST is configured if applicable ``` 3. **Confirm NTP server time is correct:** ```cisco show ntp peers ! Check offset - should be small (< 100ms typically) ``` ### Issue: Cannot Add NTP Server **Symptoms:** - Configuration commands rejected - "Invalid VRF" error **Troubleshooting Steps:** 1. **Verify VRF exists:** ```cisco show vrf ! Common VRFs: management, default ``` 2. **Check if management interface is configured:** ```cisco show running-config interface mgmt0 ! Ensure IP address and VRF are configured ``` 3. **Verify source interface exists:** ```cisco show interface mgmt0 brief ``` --- ## Best Practices ### Redundancy - Configure at least **3 NTP servers** for optimal accuracy and redundancy - Use diverse network paths to NTP servers when possible - Consider using both internal and external NTP sources ### Security - **Always use NTP authentication** in production environments - Implement access control lists to limit NTP queries - Use `use-vrf management` to isolate NTP traffic - Monitor NTP logs for unusual activity ### Performance - Use `prefer` keyword on the most reliable/accurate server - Choose NTP servers with low stratum (2-4 is ideal) - Select geographically close servers to minimize latency - Avoid using stratum 1 servers directly (use stratum 2) ### Maintenance - Regularly verify NTP synchronization status - Monitor offset and jitter values - Update authentication keys periodically - Document your NTP server hierarchy ### Time Initialization - When first configuring, manually set clock to within 1000 seconds of actual time - NTP will refuse to sync if offset is too large initially - Use `clock set` command before enabling NTP on new switches --- ## Monitoring and Logging ### Regular Health Checks ```cisco ! Daily verification show ntp status | include "Clock is" show ntp peers | include "\*" ! Weekly detailed check show ntp peer-status show clock detail ``` ### Enable SNMP Monitoring ```cisco configure terminal ! Enable SNMP for NTP monitoring snmp-server enable traps ntp ! Configure SNMP trap receiver snmp-server host 10.1.1.100 traps version 2c YourCommunity copy running-config startup-config ``` ### Syslog Monitoring ```cisco configure terminal ! Ensure NTP logging is enabled ntp logging ! Configure syslog server logging server 10.1.1.50 6 use-vrf management ! Set appropriate logging level logging level ntp 6 copy running-config startup-config ``` --- ## Quick Reference Commands | Command | Purpose | |---------|---------| | `show ntp status` | Display synchronization status | | `show ntp peers` | List all NTP peers and sync status | | `show ntp peer-status` | Detailed peer statistics | | `show clock detail` | Current time and configuration | | `show feature \| include ntp` | Verify NTP feature enabled | | `show running-config \| include ntp` | Display NTP configuration | | `show ntp authentication-keys` | List configured auth keys | | `clear ntp statistics` | Reset NTP statistics | --- ## Appendix: Public NTP Servers ### NIST (US Government) - `129.6.15.28` - NIST, Gaithersburg, Maryland - `132.163.96.1` - NIST, Boulder, Colorado ### US Naval Observatory - `192.5.41.40` - tick.usno.navy.mil - `192.5.41.41` - tock.usno.navy.mil ### NTP Pool Project - `0.pool.ntp.org` - `1.pool.ntp.org` - `2.pool.ntp.org` - `3.pool.ntp.org` **Note:** For production use, deploy internal NTP servers synchronized to external sources rather than having all infrastructure devices query public servers directly. --- ## Document Information **Target Platform:** Cisco Nexus 93180 **NX-OS Versions:** 7.x, 9.x, 10.x **Last Updated:** March 2026 **Document Purpose:** Configuration reference and troubleshooting guide For Cisco NX-OS command reference, consult the official Cisco documentation for your specific software version.