traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Netgrimoire/Work/Cisco/NTP_ESS9300.md
Administrator ca5e34d790 docs: create Work/Cisco/NTP_ESS9300
2026-03-31 21:25:18 +00:00

20 KiB
Raw Blame History

title description published date tags editor dateCreated
ESS9300 NTP true 2026-03-31T21:25:08.700Z markdown 2026-03-31T21:25:08.700Z

Cisco ESS 9300 (IE-9300) NTP Configuration and Troubleshooting Guide

Overview

This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Catalyst ESS 9300 (IE-9300) industrial Ethernet switch running IOS-XE. Accurate time synchronization is critical for logging, AAA, certificates, syslog correlation, and distributed system troubleshooting.

NTP Configuration

Basic NTP Server Configuration

configure terminal

! Configure NTP servers (use multiple servers for redundancy)
ntp server 10.1.1.10 prefer
ntp server 10.1.1.11
ntp server 192.0.2.1

! Configure NTP source interface (optional but recommended)
ntp source GigabitEthernet1/1

! Alternatively, use management interface if configured
! ntp source GigabitEthernet0/0

! Set timezone (adjust to your location)
clock timezone EST -5 0

! Configure daylight saving time (if applicable)
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

! Save configuration
end
write memory

NTP Authentication (Recommended for Production)

configure terminal

! Enable NTP authentication
ntp authenticate

! Create authentication keys (key ID 1-65535)
ntp authentication-key 1 md5 YourSecureKey123
ntp authentication-key 2 md5 AnotherSecureKey456

! Specify trusted keys
ntp trusted-key 1
ntp trusted-key 2

! Apply authentication to NTP servers
ntp server 10.1.1.10 prefer key 1
ntp server 10.1.1.11 key 2

end
write memory

NTP Access Control (Security Best Practice)

configure terminal

! Define access control for NTP
! peer: Allow time sync from these sources
! serve: Respond to time requests from these sources
! serve-only: Respond to requests but don't sync from them
! query-only: Allow status queries only

ntp access-group peer 10
ntp access-group serve 20
ntp access-group query-only 30

! Create access lists
access-list 10 remark NTP Peers - Allow sync
access-list 10 permit 10.1.1.0 0.0.0.255

access-list 20 remark NTP Serve - Respond to requests
access-list 20 permit 10.0.0.0 0.255.255.255

access-list 30 remark NTP Query - Status queries only
access-list 30 permit 192.168.0.0 0.0.255.255

end
write memory

NTP Master Configuration (Switch as Time Source)

configure terminal

! Configure switch as NTP master (stratum level)
! Only use if external NTP servers are unavailable
ntp master 8

! This makes the switch authoritative at stratum 8
! Lower stratum = higher priority (1 is highest, typically atomic clocks)
! Use stratum 8-15 for internal masters

end
write memory

Advanced NTP Configuration

configure terminal

! Update calendar from NTP (hardware clock sync)
ntp update-calendar

! Disable NTP on specific interfaces (if needed)
interface GigabitEthernet1/10
 ntp disable
 exit

! Configure NTP broadcast (server mode)
interface GigabitEthernet1/1
 ntp broadcast
 exit

! Configure NTP broadcast client (client mode)
interface GigabitEthernet1/2
 ntp broadcast client
 exit

! Configure NTP logging
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone

end
write memory

Verification Commands

Check NTP Status

! Show NTP status summary
show ntp status

! Expected output when synchronized:
! Clock is synchronized, stratum 3, reference is 10.1.1.10
! nominal freq is 250.0000 Hz, actual freq is 250.0008 Hz, precision is 2**10
! ntp uptime is 86400 (1/100 of seconds), resolution is 4016
! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024)
! clock offset is -0.5234 msec, root delay is 12.34 msec
! root dispersion is 45.67 msec, peer dispersion is 1.23 msec
! loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000008234 s/s
! system poll interval is 64, last update was 25 sec ago

Check NTP Associations

! Show all NTP associations (peers)
show ntp associations

! Detailed view
show ntp associations detail

! Column descriptions:
! * = synchronized, + = candidate, # = selected, - = outlier
! address: NTP server address
! ref clock: reference source of the server
! st: stratum level
! when: last packet received (seconds)
! poll: polling interval (seconds)
! reach: reachability (377 octal = all 8 attempts successful)
! delay: round-trip delay (ms)
! offset: time difference (ms)
! disp: dispersion/jitter (ms)

Check Clock and Time

! Display current time
show clock

! Display detailed clock information
show clock detail

! Show calendar (hardware clock)
show calendar

Check NTP Configuration

! Show all NTP configuration
show ntp config

! Show running NTP configuration
show running-config | include ntp
show running-config | include clock

Check NTP Authentication

! Show authentication keys (hashed)
show ntp authentication-keys

! Show authentication status
show ntp status | include authentication

Common Configuration Examples

Example 1: Industrial Network Configuration

configure terminal

! Use site NTP servers
ntp server 10.100.1.10 prefer
ntp server 10.100.1.11
ntp server 10.100.1.12

! Use primary uplink as source
ntp source GigabitEthernet1/1

! Central Standard Time
clock timezone CST -6 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

! Sync hardware clock
ntp update-calendar

! Enable timestamps
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone

end
write memory

Example 2: Secure Configuration with Authentication

configure terminal

! Enable NTP authentication
ntp authenticate
ntp authentication-key 10 md5 Ind_NTP_K3y_2024
ntp trusted-key 10

! Configure authenticated servers
ntp server 10.100.1.10 prefer key 10
ntp server 10.100.1.11 key 10

! Access control
ntp access-group peer 10
ntp access-group query-only 30

access-list 10 remark NTP Peers
access-list 10 permit 10.100.1.0 0.0.0.255

access-list 30 remark NTP Query
access-list 30 permit 10.100.0.0 0.0.255.255

! Source and timezone
ntp source GigabitEthernet1/1
clock timezone CST -6 0
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ntp update-calendar

service timestamps log datetime msec localtime show-timezone

end
write memory

Example 3: Redundant Time Source with Fallback

configure terminal

! Primary NTP servers
ntp server 10.100.1.10 prefer
ntp server 10.100.1.11

! Fallback to public NTP if internal servers fail
ntp server 129.6.15.28
ntp server 132.163.96.1

! Use as master only if all external sources fail
ntp master 10

ntp source GigabitEthernet1/1
clock timezone EST -5 0
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ntp update-calendar

end
write memory

Troubleshooting Guide

Issue: NTP Not Synchronizing

Symptoms:

  • show ntp status shows "Clock is unsynchronized"
  • No asterisk (*) appears in show ntp associations
  • "unsynchronized" appears in status output

Troubleshooting Steps:

  1. Verify NTP servers are configured:

    show running-config | include ntp server

  2. Check network connectivity to NTP servers:

    ping 10.1.1.10
ping 10.1.1.10 source GigabitEthernet1/1
traceroute 10.1.1.10

  3. Verify NTP packets are being exchanged:

    show ntp associations detail
! Check 'reach' value - should be 377 (octal) = all attempts successful
! Check 'when' value - should be recent (< poll interval)

  4. Check for authentication mismatches:

    show ntp status
! Look for authentication errors
debug ntp all
! Watch for authentication failures
undebug all

  5. Verify access lists aren't blocking NTP:

    show access-lists
! NTP uses UDP port 123
! Verify ACLs allow UDP 123 traffic

  6. Check for large time offset:

    show ntp associations detail
! If offset > 1000 seconds, manually set clock first
clock set 14:30:00 15 January 2024

  7. Verify source interface is up:

    show ip interface brief | include GigabitEthernet1/1
! Source interface must be up/up

Issue: High Offset or Jitter

Symptoms:

  • Time drifts significantly
  • High offset values in show ntp associations
  • Inconsistent time across devices

Troubleshooting Steps:

  1. Check network latency and stability:

    ping 10.1.1.10 repeat 100
! Look for:
! - Packet loss (should be 0%)
! - High round-trip time (> 100ms problematic)
! - Variable latency (jitter)

  2. Verify stratum levels:

    show ntp associations
! Stratum (st) should be:
! - < 10 for reliable servers
! - Lower is better (1 = atomic clock, 2 = GPS)
! - Your switch should be stratum +1 from source

  3. Increase number of NTP servers:

    ! Use at least 3 servers for best accuracy
! NTP uses voting algorithm to select best time source
configure terminal
ntp server 10.1.1.12
ntp server 10.1.1.13

  4. Check upstream NTP server health:

    show ntp associations detail
! Verify servers show:
! - condition = 'sys.peer' or 'candidate'
! - reach = 377
! - Low dispersion (disp)

  5. Monitor polling interval:

    show ntp associations
! Poll interval should stabilize at 64-1024 seconds
! Frequent changes indicate instability

Issue: Authentication Failures

Symptoms:

  • Peers show as unreachable despite network connectivity
  • NTP status shows authentication errors
  • Reach value remains 0

Troubleshooting Steps:

  1. Verify authentication is enabled:

    show ntp status | include authentication
! Should show: "authentication enabled"

  2. Check authentication keys are configured:

    show ntp authentication-keys
! Verify key IDs exist

  3. Verify trusted keys:

    show running-config | include ntp trusted-key
! Keys must be marked as trusted

  4. Confirm server configuration uses correct key:

    show running-config | include ntp server
! Verify key ID matches trusted key

  5. Debug authentication:

    debug ntp authentication
debug ntp validity
! Watch for authentication failures
! Look for key mismatches
undebug all

  6. Temporarily disable authentication to test:

    configure terminal
no ntp authenticate
! Test if synchronization works without auth
! Then re-enable:
ntp authenticate

Issue: Time Correct but Timezone Wrong

Symptoms:

  • NTP shows synchronized
  • Time is off by exact number of hours
  • Logs show incorrect time

Troubleshooting Steps:

  1. Verify timezone configuration:

    show running-config | include clock timezone
! Ensure timezone offset is correct for your location

  2. Check daylight saving time:

    show clock detail
! Verify DST rules are correct
! Look for summer-time configuration

  3. Reconfigure timezone if needed:

    configure terminal
clock timezone EST -5 0
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

  4. Verify timestamps in logs:

    show running-config | include service timestamps
! Should include 'localtime' and 'show-timezone'

Issue: Hardware Clock Not Updating

Symptoms:

  • show clock shows correct time
  • show calendar shows old time
  • Time resets after reload

Troubleshooting Steps:

  1. Verify update-calendar is configured:

    show running-config | include ntp update-calendar

  2. Manually update calendar:

    ntp update-calendar
! Or manually:
clock update-calendar

  3. Check calendar after sync:

    show calendar
show clock
! Should match within a few seconds

  4. Configure automatic update:

    configure terminal
ntp update-calendar
end
write memory

Issue: NTP Works but Stops After Time

Symptoms:

  • NTP synchronizes initially
  • Loses sync after hours/days
  • Reach value degrades over time

Troubleshooting Steps:

  1. Check for network instability:

    show ntp associations detail
! Monitor 'reach' value over time
! Should remain at 377

  2. Verify interface stability:

    show interface GigabitEthernet1/1
! Check for errors, resets, or flapping

  3. Check for routing changes:

    show ip route 10.1.1.10
! Verify consistent route to NTP server

  4. Monitor NTP server health:

    ! Check if NTP server itself is stable
show ntp associations detail
! Look for increasing dispersion

  5. Check for memory or CPU issues:

    show processes cpu sorted
show processes memory sorted
! High CPU or memory can affect NTP

Best Practices

Redundancy

  • Configure at least 3 NTP servers for optimal accuracy and fault tolerance
  • Use diverse network paths to NTP servers when possible
  • Consider geographic diversity for enterprise deployments
  • Use both on-site and off-site NTP sources

Security

  • Always use NTP authentication in production industrial environments
  • Implement access control lists to restrict NTP access
  • Use MD5 authentication keys with strong passwords
  • Regularly rotate authentication keys (annually recommended)
  • Monitor for NTP-based attacks (amplification, spoofing)

Performance

  • Use prefer keyword on the most reliable/accurate server
  • Choose NTP servers with low stratum (2-4 is ideal for enterprise)
  • Select geographically close servers to minimize latency
  • Avoid using stratum 1 servers directly (use stratum 2 instead)
  • Ensure stable network path to NTP servers

Industrial Environment Considerations

  • Account for temperature variations in industrial settings
  • Use ruggedized NTP appliances in harsh environments
  • Consider GPS-based NTP servers for isolated sites
  • Implement redundant time sources for critical applications
  • Test NTP resilience during network outages

Maintenance

  • Regularly verify NTP synchronization status (daily)
  • Monitor offset and jitter values (weekly)
  • Review NTP logs for anomalies
  • Update authentication keys periodically
  • Document your NTP server hierarchy
  • Test failover scenarios

Time Initialization

  • When first configuring, manually set clock to within 1000 seconds
  • NTP will refuse to sync if initial offset is too large
  • Use clock set command before enabling NTP on new switches
  • Allow 10-15 minutes for initial synchronization
  • Monitor stabilization with show ntp associations

Monitoring and Logging

Regular Health Checks

! Daily verification
show ntp status | include Clock
show ntp associations | include "\*"

! Weekly detailed check
show ntp associations detail
show clock detail

! Check for errors
show logging | include NTP

Enable SNMP Monitoring

configure terminal

! Enable SNMP for NTP monitoring
snmp-server enable traps ntp

! Configure SNMP trap receiver
snmp-server host 10.1.1.100 version 2c YourCommunity

end
write memory

Syslog Monitoring

configure terminal

! Configure syslog server
logging host 10.1.1.50

! Set logging level
logging trap informational

! Enable timestamps
service timestamps log datetime msec localtime show-timezone

end
write memory

EEM Script for NTP Monitoring

configure terminal

! Create EEM applet to monitor NTP
event manager applet NTP-Monitor
 event timer watchdog time 300
 action 1.0 cli command "enable"
 action 2.0 cli command "show ntp status | include Clock"
 action 3.0 regexp "unsynchronized" "$_cli_result"
 action 4.0 if $_regexp_result eq 1
 action 4.1  syslog msg "NTP ALERT: Clock is unsynchronized"
 action 4.2  cli command "show ntp associations"
 action 5.0 end

end
write memory

Debug Commands

NTP Debugging

! Enable NTP debugging (use with caution in production)
debug ntp all
debug ntp authentication
debug ntp events
debug ntp packets
debug ntp validity

! Disable debugging
undebug all
! Or
no debug all

Conditional Debugging

! Debug specific NTP server
debug ntp packets 10.1.1.10

! View debug output
terminal monitor
! Then enable debugging

Warning: Debugging can generate significant CPU load. Use sparingly in production and disable when troubleshooting is complete.

Quick Reference Commands

Command Purpose
show ntp status Display synchronization status
show ntp associations List all NTP peers and sync status
show ntp associations detail Detailed peer statistics
show clock Current system time
show clock detail Time with timezone and DST info
show calendar Hardware clock time
show running-config | include ntp Display NTP configuration
show running-config | include clock Display time configuration
show ntp authentication-keys List configured auth keys
ntp update-calendar Sync hardware clock from system
clock update-calendar Alternative calendar sync
clock set HH:MM:SS DD Month YYYY Manually set system time

IOS-XE Specific Features

NTP Broadcast

The ESS 9300 running IOS-XE supports NTP broadcast mode:

! Server sends periodic broadcasts
interface GigabitEthernet1/1
 ntp broadcast
 exit

! Client receives broadcasts
interface GigabitEthernet1/2
 ntp broadcast client
 exit

NTP Multicast

! Server sends to multicast group
interface GigabitEthernet1/1
 ntp multicast 224.0.1.1
 exit

! Client receives multicast
interface GigabitEthernet1/2
 ntp multicast client 224.0.1.1
 exit

IPv6 NTP Support

configure terminal

! IPv6 NTP server
ntp server 2001:db8::10 prefer

! IPv6 source interface
ntp source Vlan100

end
write memory

Appendix: Public NTP Servers

NIST (US Government)

  • 129.6.15.28 - NIST, Gaithersburg, Maryland
  • 129.6.15.29 - NIST, Gaithersburg, Maryland
  • 132.163.96.1 - NIST, Boulder, Colorado
  • 132.163.96.2 - NIST, Boulder, Colorado

US Naval Observatory

  • 192.5.41.40 - tick.usno.navy.mil
  • 192.5.41.41 - tock.usno.navy.mil

NTP Pool Project

  • 0.pool.ntp.org
  • 1.pool.ntp.org
  • 2.pool.ntp.org
  • 3.pool.ntp.org

Regional Pools

  • 0.north-america.pool.ntp.org
  • 0.us.pool.ntp.org

Note: For production industrial use, deploy internal GPS-synchronized NTP servers rather than having all devices query public servers directly. This improves reliability, reduces external dependencies, and provides better time accuracy.

Integration with Industrial Protocols

PTP (Precision Time Protocol) Coexistence

The ESS 9300 supports both NTP and PTP (IEEE 1588). Best practices:

  • Use PTP for sub-microsecond precision (automation, motion control)
  • Use NTP for general timekeeping (logging, AAA, management)
  • Keep NTP and PTP on separate VLANs if possible
  • Use NTP for non-critical devices
  • Reserve PTP for time-critical industrial applications

Synchronization with PLCs and SCADA

! Configure NTP to serve time to industrial devices
configure terminal

ntp master 3
ntp source GigabitEthernet1/1

! Allow SCADA network to query time
ntp access-group serve 20
access-list 20 permit 10.50.0.0 0.0.255.255

end
write memory

Differences from Nexus NX-OS

Key differences when coming from Nexus switches:

Feature Nexus (NX-OS) ESS 9300 (IOS-XE)
VRF syntax use-vrf management Not required (use source instead)
Feature enable feature ntp Not required (built-in)
Calendar sync N/A ntp update-calendar
Save config copy run start write memory or copy run start
Auth key type MD5 with type 7 MD5 (auto-encrypted)
Interface naming mgmt0 GigabitEthernet0/0

Document Information

Target Platform: Cisco Catalyst ESS 9300 (IE-9300)
Operating System: IOS-XE
IOS-XE Versions: 17.x
Last Updated: March 2026
Document Purpose: Configuration reference and troubleshooting guide for industrial Ethernet environments

For Cisco IOS-XE command reference, consult the official Cisco documentation for your specific software version.