traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Netgrimoire/Periphery/Work/Cisco/Nexus_NTP.md
traveler bb997e2fa7 perephiery
2026-04-12 15:55:45 -05:00

518 lines
No EOL
13 KiB
Markdown
Raw Blame History

---
title: NTP Deep dive on the Nexus
description: Config and troubleshoot
published: true
date: 2026-03-31T20:46:08.474Z
tags:
editor: markdown
dateCreated: 2026-03-31T20:45:58.287Z
---
# Cisco Nexus 93180 NTP Configuration and Troubleshooting Guide
## Overview
This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Nexus 93180 switch running NX-OS. Accurate time synchronization is critical for logging, AAA, certificates, and distributed system correlation.
---
## NTP Configuration
### Basic NTP Server Configuration
configure terminal
! Enable NTP feature (if not already enabled)
feature ntp
! Configure NTP servers (use multiple servers for redundancy)
ntp server 10.1.1.10 prefer use-vrf management
ntp server 10.1.1.11 use-vrf management
ntp server 192.0.2.1 use-vrf default
! Configure NTP source interface (optional but recommended)
ntp source-interface mgmt0
! Set timezone (adjust to your location)
clock timezone EST -5 0
! Configure daylight saving time (if applicable)
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
! Save configuration
copy running-config startup-config
### NTP Authentication (Recommended for Production)
configure terminal
! Enable NTP authentication
ntp authenticate
! Create authentication keys
ntp authentication-key 1 md5 YourSecureKey123 7
ntp authentication-key 2 md5 AnotherSecureKey456 7
! Specify trusted keys
ntp trusted-key 1
ntp trusted-key 2
! Apply authentication to NTP servers
ntp server 10.1.1.10 prefer use-vrf management key 1
ntp server 10.1.1.11 use-vrf management key 2
copy running-config startup-config
### NTP Access Control (Security Best Practice)
configure terminal
! Define access control for NTP
! peer: Allow sync and queries
! serve: Respond to queries only
! serve-only: Respond to queries but don't sync
! query-only: Allow queries only
ntp access-group peer PeerACL
ntp access-group serve ServeACL
ntp access-group query-only QueryACL
! Create ACLs
ip access-list NTP-Peers
10 permit ip 10.1.1.0/24 any
20 deny ip any any
ip access-list NTP-Serve
10 permit ip 10.0.0.0/8 any
20 deny ip any any
copy running-config startup-config
### NTP Master Configuration (Switch as Time Source)
configure terminal
! Configure switch as NTP master (stratum level)
! Only use if external NTP servers are unavailable
ntp master 8
! This makes the switch authoritative at stratum 8
! Lower stratum = higher priority (1 is highest)
copy running-config startup-config
### Logging NTP Events
configure terminal
! Enable logging for NTP
ntp logging
! Adjust logging level if needed
logging level ntp 6
copy running-config startup-config
---
## Verification Commands
### Check NTP Status
! Show NTP status summary
show ntp status
! Expected output when synchronized:
! Clock is synchronized, stratum 3, reference is 10.1.1.10
! nominal freq is 250.0000 Hz, actual freq is 250.0010 Hz, precision is 2**18
! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024)
! clock offset is -0.0023 msec, root delay is 12.34 msec
! root dispersion is 45.67 msec, peer dispersion is 1.23 msec
### Check NTP Peers
! Show all NTP peers and their status
show ntp peers
! Column descriptions:
! * = synchronized, + = candidate, # = selected
! remote: NTP server address
! ref clock: reference source of the server
! st: stratum level
! when: last packet received (seconds)
! poll: polling interval
! reach: reachability (377 = all 8 attempts successful)
! delay: round-trip delay (ms)
! offset: time difference (ms)
! jitter: dispersion (ms)
### Check NTP Statistics
! Show detailed peer statistics
show ntp peer-status
! Show specific peer details
show ntp peer 10.1.1.10
### Check NTP Authentication
! Verify authentication keys
show ntp authentication-keys
! Check authentication status
show ntp authentication-status
### Check Time Configuration
! Display current clock settings
show clock detail
! Show timezone configuration
show running-config | include clock
---
## Common Configuration Examples
### Example 1: Enterprise Configuration with Multiple Servers
configure terminal
feature ntp
! Use company NTP servers in management VRF
ntp server 10.10.1.10 prefer use-vrf management
ntp server 10.10.1.11 use-vrf management
ntp server 10.10.1.12 use-vrf management
! Use public NTP as backup in default VRF
ntp server 129.6.15.28 use-vrf default
ntp server 132.163.96.1 use-vrf default
ntp source-interface mgmt0
clock timezone EST -5 0
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
ntp logging
copy running-config startup-config
### Example 2: Secure Configuration with Authentication
configure terminal
feature ntp
ntp authenticate
ntp authentication-key 10 md5 Pr0d_NTP_K3y_2024 7
ntp trusted-key 10
ntp server 10.10.1.10 prefer use-vrf management key 10
ntp server 10.10.1.11 use-vrf management key 10
ntp access-group peer NTP-PEERS
ip access-list NTP-PEERS
10 permit ip 10.10.1.0/24 any
20 deny ip any any log
ntp source-interface mgmt0
ntp logging
clock timezone EST -5 0
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
copy running-config startup-config
---
## Troubleshooting Guide
### Issue: NTP Not Synchronizing
**Symptoms:**
- `show ntp status` shows "Clock is unsynchronized"
- No asterisk (*) appears in `show ntp peers`
**Troubleshooting Steps:**
1. **Verify NTP feature is enabled:**
show feature | include ntp
! If disabled:
configure terminal
feature ntp
2. **Check network connectivity to NTP servers:**
ping 10.1.1.10 vrf management
traceroute 10.1.1.10 vrf management
3. **Verify NTP packets are being exchanged:**
show ntp peer-status
! Check 'reach' column - should be 377 (binary 11111111)
! Check 'when' column - should be recent (< poll interval)
4. **Check for authentication mismatches:**
show ntp authentication-status
! Verify keys match between switch and server
5. **Verify correct VRF is configured:**
show running-config | include "ntp server"
! Ensure use-vrf matches your management connectivity
6. **Check firewall/ACL blocking UDP port 123:**
! NTP uses UDP port 123
show ip access-lists
7. **Verify time offset isn't too large:**
! If offset > 1000 seconds, NTP may refuse to sync
! Manually set clock closer to correct time:
clock set 14:30:00 15 January 2024
### Issue: High Offset or Jitter
**Symptoms:**
- Time drifts significantly
- High offset values in `show ntp peers`
**Troubleshooting Steps:**
1. **Check network latency:**
ping 10.1.1.10 vrf management repeat 100
! Look for packet loss and high/variable latency
2. **Verify stratum levels:**
```cisco
show ntp peers
! Stratum should be < 10 for reliable servers
! Lower stratum = more accurate
```
3. **Increase number of NTP servers:**
```cisco
! Use at least 3 servers for best accuracy
! NTP uses voting algorithm with multiple sources
```
4. **Check for upstream NTP issues:**
```cisco
show ntp peer-status
! Verify your NTP servers are synchronized
```
### Issue: Authentication Failures
**Symptoms:**
- Peers show as unreachable despite network connectivity
- Authentication errors in logs
**Troubleshooting Steps:**
1. **Verify authentication is configured on both ends:**
```cisco
show ntp authentication-status
```
2. **Check key ID and values match:**
```cisco
show ntp authentication-keys
! Key number and MD5 hash must match server
```
3. **Verify trusted keys are configured:**
```cisco
show running-config | include "ntp trusted-key"
```
4. **Temporarily disable authentication to test:**
```cisco
configure terminal
no ntp authenticate
! Test connectivity
! Re-enable after testing:
ntp authenticate
```
### Issue: NTP Working but Time Still Wrong
**Symptoms:**
- `show ntp status` shows synchronized
- Clock shows incorrect time
**Troubleshooting Steps:**
1. **Verify timezone configuration:**
```cisco
show running-config | include clock
! Ensure timezone matches your location
```
2. **Check daylight saving time settings:**
```cisco
show clock detail
! Verify DST is configured if applicable
```
3. **Confirm NTP server time is correct:**
```cisco
show ntp peers
! Check offset - should be small (< 100ms typically)
```
### Issue: Cannot Add NTP Server
**Symptoms:**
- Configuration commands rejected
- "Invalid VRF" error
**Troubleshooting Steps:**
1. **Verify VRF exists:**
```cisco
show vrf
! Common VRFs: management, default
```
2. **Check if management interface is configured:**
```cisco
show running-config interface mgmt0
! Ensure IP address and VRF are configured
```
3. **Verify source interface exists:**
```cisco
show interface mgmt0 brief
```
---
## Best Practices
### Redundancy
- Configure at least **3 NTP servers** for optimal accuracy and redundancy
- Use diverse network paths to NTP servers when possible
- Consider using both internal and external NTP sources
### Security
- **Always use NTP authentication** in production environments
- Implement access control lists to limit NTP queries
- Use `use-vrf management` to isolate NTP traffic
- Monitor NTP logs for unusual activity
### Performance
- Use `prefer` keyword on the most reliable/accurate server
- Choose NTP servers with low stratum (2-4 is ideal)
- Select geographically close servers to minimize latency
- Avoid using stratum 1 servers directly (use stratum 2)
### Maintenance
- Regularly verify NTP synchronization status
- Monitor offset and jitter values
- Update authentication keys periodically
- Document your NTP server hierarchy
### Time Initialization
- When first configuring, manually set clock to within 1000 seconds of actual time
- NTP will refuse to sync if offset is too large initially
- Use `clock set` command before enabling NTP on new switches
---
## Monitoring and Logging
### Regular Health Checks
```cisco
! Daily verification
show ntp status | include "Clock is"
show ntp peers | include "\*"
! Weekly detailed check
show ntp peer-status
show clock detail
```
### Enable SNMP Monitoring
```cisco
configure terminal
! Enable SNMP for NTP monitoring
snmp-server enable traps ntp
! Configure SNMP trap receiver
snmp-server host 10.1.1.100 traps version 2c YourCommunity
copy running-config startup-config
```
### Syslog Monitoring
```cisco
configure terminal
! Ensure NTP logging is enabled
ntp logging
! Configure syslog server
logging server 10.1.1.50 6 use-vrf management
! Set appropriate logging level
logging level ntp 6
copy running-config startup-config
```
---
## Quick Reference Commands
| Command | Purpose |
|---------|---------|
| `show ntp status` | Display synchronization status |
| `show ntp peers` | List all NTP peers and sync status |
| `show ntp peer-status` | Detailed peer statistics |
| `show clock detail` | Current time and configuration |
| `show feature \| include ntp` | Verify NTP feature enabled |
| `show running-config \| include ntp` | Display NTP configuration |
| `show ntp authentication-keys` | List configured auth keys |
| `clear ntp statistics` | Reset NTP statistics |
---
## Appendix: Public NTP Servers
### NIST (US Government)
- `129.6.15.28` - NIST, Gaithersburg, Maryland
- `132.163.96.1` - NIST, Boulder, Colorado
### US Naval Observatory
- `192.5.41.40` - tick.usno.navy.mil
- `192.5.41.41` - tock.usno.navy.mil
### NTP Pool Project
- `0.pool.ntp.org`
- `1.pool.ntp.org`
- `2.pool.ntp.org`
- `3.pool.ntp.org`
**Note:** For production use, deploy internal NTP servers synchronized to external sources rather than having all infrastructure devices query public servers directly.
---
## Document Information
**Target Platform:** Cisco Nexus 93180
**NX-OS Versions:** 7.x, 9.x, 10.x
**Last Updated:** March 2026
**Document Purpose:** Configuration reference and troubleshooting guide
For Cisco NX-OS command reference, consult the official Cisco documentation for your specific software version.
Reference in a new issue View git blame Copy permalink