Example NTP Configuration for High Availability Catalyst 6000 Switch
Available Languages
Contents
Introduction
This document provides an example Network Time Protocol (NTP) configuration for a Catalyst 6000 family switch with redundant supervisor engines, and dual Multilayer Switch Feature Cards (MSFCs) with configuration synchronization enabled.
Before You Begin
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Prerequisites
There are no specific prerequisites for this document.
Components Used
This document is not restricted to specific software and hardware versions.
Example NTP Configuration for High Availability Catalyst 6000 Switch
Figure 1 shows the network topology for this example configuration.
Figure 1: Network Topology
This example shows a Catalyst 6509 with redundant supervisor engines and MSFCs. This is the show module command output from the switch:
Cat6000> (enable) show module
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- --- --------
1 1 2 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes ok
15 1 1 Multilayer Switch Feature WS-F6K-MSFC no ok
2 2 2 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes standby
16 2 1 Multilayer Switch Feature WS-F6K-MSFC no ok
3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 no ok
Mod Module-Name Serial-Num
--- ------------------- -----------
1 SAD04240E48
15 SAD042406UW
2 SAD042400YL
16 SAD042407KG
3 SAL04440WY6
Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -----------------
1 00-30-7b-96-7c-5a to 00-30-7b-96-7c-5b 3.1 5.3(1) 5.5(7)
00-30-7b-96-7c-58 to 00-30-7b-96-7c-59
00-02-7e-02-a0-00 to 00-02-7e-02-a3-ff
15 00-d0-d3-a3-b6-a7 to 00-d0-d3-a3-b6-e6 1.4 12.1(6)E 12.1(6)E
2 00-d0-c0-cf-72-12 to 00-d0-c0-cf-72-13 3.1 5.3(1) 5.5(7)
00-d0-c0-cf-72-10 to 00-d0-c0-cf-72-11
16 00-d0-c0-cf-72-14 to 00-d0-c0-cf-72-53 1.4 12.1(6)E 12.1(6)E
3 00-03-6c-29-ba-b0 to 00-03-6c-29-ba-df 1.4 5.4(2) 5.5(7)
Mod Sub-Type Sub-Model Sub-Serial Sub-Hw
--- ----------------------- ------------------- ----------- ------
1 L3 Switching Engine WS-F6K-PFC SAD04240L70 1.1
2 L3 Switching Engine WS-F6K-PFC SAD04220KC5 1.1
Cat6000> (enable)
In this example, assume that this Catalyst 6509 is a core switch in the network. The dual MSFCs in the switch will function as NTP servers for other routers and switches in the network (including the supervisor engine on this switch itself).
The MSFCs will synchronize their clocks to a master NTP server located in a remote subnet in the network. In practice, this might be a private local NTP server, or a public NTP server. In either case, this server would typically synchronize its time with another, lower stratum clock, such as an atomic clock.
The dual MSFCs in this example have configuration synchronization (config-sync) enabled. This automatically synchronizes the configuration on the designated MSFC to the non-designated MSFC. See the Related Information section for more information on config-sync.
Here is the configuration of MSFC15 (the designated MSFC). The configuration on MSFC16 is exactly the same, with the exception that for those commands where the alt command is specified, MSFC16 uses the command after the alt keyword. For example, the hostname of MSFC15 is MSFC15; the hostname of MSFC16 is MSFC16.
version 12.1 no service pad ! !--- Enable service timestamps datetime! service timestamps debug datetime msec localtime service timestamps log datetime msec localtime ! no service password-encryption ! ! !--- Hostnames for the MSFCs. hostname MSFC15 alt hostname MSFC16 ! boot system flash bootflash:c6msfc-jsv-mz.121-6.E.bin enable password cisco ! ! !Both MSFCs are in the PST timezone clock timezone PST -8 ! !--- Both MSFCs will adjust the clock for Daylight Saving Time. clock summer-time PDT recurring ! !--- If connectivity to the NTP server is lost, the calendar is used. !as an authoritative time source clock calendar-valid ! ! ip subnet-zero ! ! no ip finger ip domain-name corp.com ip name-server 172.16.55.120 ip name-server 171.16.60.120 ! ! !config-sync is enabled redundancy high-availability config-sync ! ! ! !--- Each MSFC has a loopback0 interface in a different /30 subnet. interface Loopback0 ip address 10.10.10.1 255.255.255.252 alt ip address 10.10.10.5 255.255.255.252 ! ! !--- VLAN 1 is the management subnet, where the switch sc0 interface is located. interface Vlan1 description Network Management Subnet ip address 172.16.100.2 255.255.255.0 alt ip address 172.16.100.3 255.255.255.0 no ip redirects standby 1 priority 105 preempt alt standby 1 priority 100 preempt standby 1 ip 172.16.100.1 alt standby 1 ip 172.16.100.1 ! <VARIOUS VLAN INTERFACES NOT RELEVANT TO THIS EXAMPLE> ! router eigrp 10 network 10.0.0.0 network 172.0.0.0 network 172.0.0.0 0.255.255.255 no auto-summary eigrp log-neighbor-changes ! ip classless no ip http server ! ! ! line con 0 transport input none line vty 0 4 password cisco login transport input lat pad mop telnet rlogin udptn nasi ! ! !--- Each MSFC uses the IP address of the loopback0 interface as !--- the source IP for NTP packets. ntp source Loopback0 ! !--- The MSFCs will update the hardware calendar with the NTP time. ntp update-calendar ! !--- Both MSFCs are getting the time from 10.100.100.1. ntp server 10.100.100.1 ! end |
Note: Some commands do not support the alt keyword, and therefore cannot be used with config-sync. An example is the ntp peer command. Config-sync support for this command would allow MSFC15 and MSFC16 to establish an NTP peer relationship. If this is a requirement in your network, you can disable config-sync and manually ensure that the configurations on the two MSFCs meets the requirements for dual MSFC systems. See the Related Information section for more information.
On the supervisor engine, the sc0 management interface (172.16.100.100) belongs to VLAN 1. The default gateway for the switch is the Hot Standby Router Protocol (HSRP) IP address on the VLAN 1 interface (172.16.100.1)
The supervisor engine points to two NTP servers for redundancy, the loopback0 interfaces on MSFC15 and MSFC16. Other switches and routers in the network are configured to do the same.
One disadvantage of this implementation is that if the entire switch fails, other devices in the network become unsynchronized. An alternate configuration for redundancy would have MSFCs in different chassis configured as NTP servers, so that if one chassis fails, the other continues to function as the NTP server.
This is the NTP configuration on the switch:
#ntp # #NTP client mode is enabled set ntp client enable # #NTP server IP addresses (loopback0 interfaces on MSFC15 and MSFC16) set ntp server 10.10.10.1 set ntp server 10.10.10.5 # #Switch is in the PST timezone set timezone PST -8 0 # #Switch will adjust clock for Daylight Saving Time set summertime enable PDT set summertime recurring first Sunday April 02:00 last Sunday October 02:00 60 |
Using NTP Authentication
NTP authentication adds a level of security to your NTP configuration. You configure an NTP key string on each device. The key is encrypted using a Message Digest 5 (MD5) hashing algorithm, and the encrypted key is passed in each NTP packet. Before an NTP packet is processed, the key is checked against the configured key on the receiving device.
This is the configuration of MSFC15 (the designated MSFC) with the added NTP authentication commands. The configuration on MSFC16 is exactly the same.
!--- The key string for NTP authentication key 10 is "ticktock" !--- (the key string is shown encrypted in the configuration) ntp authentication-key 10 md5 ticktock ! !--- Enables NTP authentication ntp authenticate ! !--- Makes NTP authentication key "10" a trusted key ntp trusted-key 10 ! ntp source Loopback0 ntp update-calendar ntp server 10.100.100.1 |
This is the NTP configuration on the switch with NTP authentication enabled:
#ntp set ntp client enable # #Enables NTP authentication set ntp authentication enable # #The key string for NTP authentication key 10 is "ticktock" #(the key string is shown encrypted in the configuration) set ntp key 10 trusted md5 ticktock # #NTP server IP addresses, configured to use authentication key 10 set ntp server 10.10.10.1 key 10 set ntp server 10.10.10.5 key 10 # set timezone PST -8 0 set summertime enable PDT set summertime recurring first Sunday April 02:00 last Sunday October 02:00 60 |
Troubleshooting
Clock is Unsynchronized
The clock is unsynchronized issue occurs when the NTP master does not authenticate the NTP client request. This type of issue can occur when the authentication-key and password are not configured on the master end.
This clock unsynchronization can be confirmed with the output of the show ntp status and show ntp association detail commands.
R2#show ntp status Clock is unsynchronized, stratum 16, no reference clock !--- Output suppressed.
From the previous show command output, the Clock is unsynchronized and no reference clock confirm the clock unsynchronization
R2#show ntp association detail 12.0.0.1 configured, insane, invalid, unsynced, stratum 16 !--- Output suppressed.
From this output, insane, invalid, unsynced confirms the clock unsynchronization of client with the master.
Related Information
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)