Time synchronization |
Using time synchronization ensures a uniform time among interoperating devices. This helps you to manage and troubleshoot switch operation by attaching meaningful time data to event and error messages.
For successful time protocol setup and specific configuration details, contact your system administrator regarding your local configuration. The HPE Aruba OS switch utilizes the Network Time Protocol (NTP)
NTP
NTP synchronizes the time of day among a set of distributed time servers and clients in order to correlate events when receiving system logs and other time-specific events from multiple network devices. NTP uses the User Datagram Protocol (UDP) as its transport protocol.
All NTP communications use Coordinated Universal Time (UTC). An NTP server usually receives its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server, and then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each other.
NTP uses a stratum to describe the distance between a network device and an authoritative time source:
A stratum 1 time server is directly attached to an authoritative time source (such as a radio or atomic clock or a GPS time source).
A stratum 2 NTP server receives its time through NTP from a stratum 1 time server.
Before synchronizing, NTP compares the time reported by several network devices and does not synchronize with one that is significantly different, even if it is a stratum 1.
You an use the security features of NTP to avoid the accidental or malicious setting of incorrect time. One such mechanism is available: an encrypted authentication mechanism.
Though similar, the NTP algorithm is more complex and accurate than the Simple Network Time Protocol (SNTP).
![[IMPORTANT: ]](images/important.gif) | IMPORTANT: Enabling this feature results in synchronizing the system clock; therefore, it may affect all sub-systems that rely on system time. |
NTP related commands
The following commands allow the user to configure NTP or show NTP configurations.
timesync
Syntax
[no]timesync [timep |sntp | timep-or-sntp | ntp]
Description
Use this command to configure the protocol for network time synchronization.
Parameters and options
timesync ntp
Syntax
timesync ntp
Description
Use this command to update the system clock using NTP.
ntp
Syntax
[no] ntp [broadcast|unicast]
Description
This command selects the operating mode of the NTP client. Defaults to broadcast.
Parameters and options
[no] ntp
This command disables NTP and removes all NTP configurations on the device.
Syntax
[no] ntp [authentication<key-id>| broadcast | enable | max-association<integer>| server<IP-ADDR>| trap<trap-name>| unicast]
Description
Disable NTP and removes the entire NTP configuration.
Options
| authentication | Configure NTP authentication. |
| broadcast | Operate in broadcast mode. |
| enable | Enable/disable NTP. |
| max-association | Maximum number of Network Time Protocol (NTP) associations. |
| server | Configure a NTP server to poll for time synchronization. |
| trap | Enable/disable NTP traps. |
| unicast | Operate in unicast mode. |
Example
switch(config)# no ntp This will delete all NTP configurations on this device. Continue [y/n]?
ntp enable
Syntax
ntp enable
Description
Use this command to enable or disable NTP on the switch.
Restrictions
| Validation | Error/Warning/Prompt |
|---|---|
| If timeSync is in SNTP or Timep when NTP is enabled. | Timesync is not configured to NTP. |
| When timesync is NTP and ntp is enabled and we try to change timesync to SNTP. | Disable NTP before
changing timesync to SNTP or TIMEP |
ntp authentication
Syntax
ntp authentication key-id<KEY-ID>[authentication-mode<MODE>key-value<KEY-STRING>] [trusted]
Description
This command is used for authentication of NTP server by the NTP client.
Parameters and options
| | Sets the key-id for the authentication key. |
| | Sets the NTP authentication mode |
| | Sets the key-value for the authentication key. |
| | Sets the authentication key as trusted. |
ntp authentication
Switch(config)# ntp Authentication Configure NTP authentication. Switch(config)# ntp authentication key-id Set the key-id for this authentication key. Switch(config)# ntp authentication key-id <1-4294967295> Set the authentication key-id. Switch(config)# ntp authentication key-id 1 authentication-mode Set the NTP authentication mode. trusted Set this authentication key as trusted. Switch(config)# ntp authentication key-id 1 authentication-mode|trusted md5 Authenticate using MD5. Switch(config)# ntp authentication key-id 1 authentication-mode|trusted md5key-value Set the NTP authentication key. Switch(config)# ntp authentication key-id 1 authentication-mode|trusted md5 key-value KEY Enter a string to be set as the NTP authentication key.
ntp max-associations
Syntax
ntp max-associations <number>
Description
Use this command to configure the maximum number of servers associated with this NTP client.
Parameters and options
ntp max-associations
Switch(config)# ntp max-associations Maximum number of NTP associations. Switch(config)# ntp max-associations <1-8> Enter the number.
Restrictions
| Validation | Error/Warning/Prompt |
|---|---|
| When the number of configured NTP servers is more than the max-associations value. | The maximum number
of NTP servers allowed is <number>. |
| When the max-associations value is less than the (n) number of configured NTP servers. | Max-associations
value cannot be less than the number of NTP servers configured. |
ntp server
Syntax
[no] ntp server <IP-ADDR|IPv6-ADDR> [key <KEY-ID>] [oobm] [max-poll <MAX-POLL-VAL>][min-poll <MIN-POLL-VAL>][burst | iburst] [version <1-4>]
Description
This command is used to configure the NTP servers. Configure a maximum of 8 NTP servers.
Parameters and options
| | Removes the unicast NTP configurations on the device. |
| | Sets the IPv4 address of the NTP server. |
| | Sets the IPv6 address of the NTP server. |
| | Specifies the authentication key. |
| | Specifies that the NTP Unicast server is accessible over an OOBM interface. |
| | Configures the minimum time intervals in seconds. Range is 4–17. |
| | Configures the maximum time intervals in power of 2 seconds. Range is 4–17 (e.g., 5 would translate to 2 raised to 5 or 32). |
| | Enables burst mode. |
| | Enables initial burst mode. |
| | Sets version 1–4. |
Restrictions
| Validation | Error/Warning/Prompt |
|---|---|
| If authentication key-id not configured | Authentication
key-id has not been configured. |
| If Key-id is not marked as trusted | Key-id
is not trusted. |
| When min poll value is more than max poll value | NTP max poll value should be more than min poll value. |
ntp server configuration
Switch(config)# ntp server Allow the software clock to be synchronized by an NTP time server. broadcast Operate in broadcast mode. unicast Operate in unicast mode. Switch(config)# ntp server IP-ADDR IPv4 address of the NTP server. IPV6-ADDR IPv6 address of the NTP server. Switch(config)# ntp server <IP-ADDR> Key Specify the authentication key. Switch(config)# ntp server <IP-ADDR> key key-id Max-poll Configure the maximum time intervals in seconds. Switch(config)# ntp server <IP-ADDR> key key-id max-poll <4-17> Enter an integer number. Switch(config)# ntp server <IP-ADDR> key key-id Min-poll Configure the minimum time intervals in seconds. Switch(config)# ntp server <IP-ADDR> key key-id min-poll <4-17> Enter an integer number. Switch(config)# ntp server <IP-ADDR> key key-id prefer max-poll <max-poll-val> min-poll <min-poll-val> iburst Enable initial burst (iburst) mode. burst Enable burst mode. Switch(config)# ntp server IP-ADDR key key-id prefer maxpoll <number> minpoll <number> iburst
ntp server key-id
Syntax
ntp server<IP-ADDR |IPV6-ADDR>key—id<key-id>[max-poll<max-poll-val>][min-poll<min-poll-val>] [burst | iburst]
Description
Configure the NTP server. <IP-ADDR> indicates
the IPv4 address of the NTP server. <IPV6-ADDR> indicates
the IPv6 address of the NTP server.
Options
ntp ipv6-multicast
Syntax
ntp ipv6-multicast
Description
Use this command to configure NTP multicast on a VLAN interface.
Restrictions
| Validation | Error/Warning/Prompt |
|---|---|
| If ipv6 is not enabled on vlan interface | IPv6
address not configured on the VLAN. |
debug ntp
Syntax
debug ntp [event|packet]
Description
Use this command to display debug messages for NTP.
Parameters and options
ntp trap
Syntax
[no] ntp trap <TRAP-NAME>
Description
Use this command to configure NTP traps.
Parameters and options
Specifiers
Specify trap names as follows:
ntp-mode-change ntp-stratum-change ntp-peer-change ntp-new-association ntp-remove-association ntp-config-change ntp-leapsec-announced ntp-alive-heartbeat
Usage
The traps defined below are generated as the result of finding an unusual condition while parsing an NTP packet or a processing a timer event. Note that if more than one type of unusual condition is encountered while parsing the packet or processing an event, only the first one will generate a trap. Possible trap names are:
- 'ntpEntNotifModeChange' The notification
to be sent when the NTP entity changes mode, including starting and
stopping (if possible).
- 'ntpEntNotifStratumChange' The notification
to be sent when stratum level of NTP changes.
- 'ntpEntNotifSyspeerChanged' The notification
to be sent when a (new) syspeer has been selected.
- 'ntpEntNotifAddAssociation' The notification
to be sent when a new association is mobilized.
- 'ntpEntNotifRemoveAssociation' The
notification to be sent when an association is demobilized.
- 'ntpEntNotifConfigChanged' The notification
to be sent when the NTP configuration has changed.
- 'ntpEntNotifLeapSecondAnnounced' The
notification to be sent when a leap second has been announced.
- 'ntpEntNotifHeartbeat' The notification
to be sent periodically (as defined by ntpEntHeartbeatInterval) to
indicate that the NTP entity is still alive.
show ntp statistics
Syntax
show ntp statistics
Description
Use this command to show NTP statistics.
show ntp status
Syntax
show ntp status
Description
Use this command to show the status of the NTP.
show ntp status
Switch(config)# show ntp status NTP Status information NTP Status : Disabled NTP Mode : Broadcast Synchronization Status : Synchronized Peer Dispersion : 8.01 sec Stratum Number : 2 Leap Direction : 1 Reference Assoc Id : 1 Clock Offset : 0.0000 sec Reference : 192.0.2.1 Root Delay : 0.00 sec Precision : 2**7 Root Dispersion : 15.91 sec NTP Uptime : 01d 09h 15m Time Resolution : 1 Drift : 0.000000000 sec/sec System Time : Tue Aug 25 04:59:11 2015 Reference Time : Mon Jan 1 00:00:00 1990
show ntp authentication
Syntax
show ntp authentication
Description
Use this command to show the authentication status of the NTP.
show ntp associations
Syntax
show ntp associations
Description
Use this command to show the NTP associations configured for your system.
show ntp associations
Switch(config)# show ntp associations
NTP Associations Entries
Address St T When Poll Reach Delay Offset Dispersion
-------------- --- -- ---- ----- ------ ------- ------- ----------
121.0.23.1 16 u - 1024 0 0.000 0.000 0.000
231.45.21.4 16 u - 1024 0 0.000 0.000 0.000
55.21.56.2 16 u - 1024 0 0.000 0.000 0.000
23.56.13.1 3 u 209 1024 377 54.936 -6.159 12.688
91.34.255.216 4 u 132 1024 377 1.391 0.978 3.860show ntp associations detail
Syntax
show ntp associations detail <IP ADDR>
Description
Use this command to show the detailed status of NTP associations configured for your system.
Parameters and options
show ntp association detail
Switch(config)# show ntp association detail <IP ADDR> NTP association information IP address : 172.31.32.2 Peer Mode : Server Status : Configured, Insane, Invalid Peer Poll Intvl : 64 Stratum : 5 Root Delay : 137.77 sec Ref Assoc ID : 0 Root Dispersion : 142.75 Association Name : NTP Association 0 Reach : 376 Reference ID : 16.93.49.4 Delay : 4.23 sec Our Mode : Client Offset : -8.587 sec Our Poll Intvl : 1024 Precision : 2**19 Dispersion : 1.62 sec Association In Packets : 60 Association Out Packets : 60 Association Error Packets : 0 Origin Time : Fri Jul 3 11:39:40 2015 Receive Time : Fri Jul 3 11:39:44 2015 Transmit Time : Fri Jul 3 11:39:44 2015 ----------------------------------------------------------------------------- Filter Delay = 4.23 4.14 2.41 5.95 2.37 2.33 4.26 4.33 Filter Offset = -8.59 -8.82 -9.91 -8.42 -10.51 -10.77 -10.13 -10.11
Validation Rules
Validation |
Error/Warning/Prompt |
|---|---|
If access-list name is not valid. |
Please enter a valid access-list name. |
If the authentication method is being set to two-factor authentication, various messages display. |
If both the public key and username/password are not configured: Public key and username/password should be configured for a successful two-factor authentication. If public key is configured and username is not configured: Username and password should be configured for a successful two-factor authentication. If the username is configured and public key is not configured: Public key should be configured for a successful two-factor authentication. If “ssh-server” certificate is not installed at the time of enabling certificate-password authentication: The “ssh-server” certificate should be installed for a successful two-factor authentication. |
If the authentication method is set to two-factor while installing the public key, a message displays. |
The client public keys without username will not be considered for the two-factor authentication for the SSH session. |
If the username and the key installation user for that privilege do not match, a message displays and installation is not allowed. This will also happen when the authentication method is set for two-factor. |
The username in the key being installed does not match the username configured on the switch. |
If the maximum number of <username : TA profile> associations is reached for a given TA profile, a message displays. |
Maximum number of username associations with a TA profile is 10. |
If secondary authentication type for two-factor authentication chosen is not "none", a message displays. |
Not legal combination of authentication methods. |
If the authentication method is anything other than two-factor and the two-factor authentication method options are set, a message displays. |
Not legal combination of authentication methods. |
If two-factor authentication is set and user tries to SSH into another system using “ssh <ip | hostname>” command, a message displays. |
SSH client is not supported when the two-factor authentication is enabled. |
If timeSync is in SNTP or Timep when NTP is enabled. |
Timesync is not configured to NTP. |
If timesync is NTP and NTP is enabled and we try to change timesync to SNTP. |
Disable NTP before changing timesync to SNTP or TIMEP. |
If we try to configure NTP servers more than the configured max-associations value. |
The maximum number of NTP servers allowed is 2. |
If we have ‘n’ NTP servers configured and we try to configure a max-associations value less than (n) number of NTP servers already configured. |
Max-associations value cannot be less than the number of NTP servers configured. |
If authentication key-id is not configured. |
Authentication key-id %d has not been configured. |
If key-id is not marked as trusted. |
Key-id %d is not trusted. |
If min poll value is more than max poll value. |
NTP max poll value should be more than min poll value. |
If ipv6 is not enabled on vlan interface. |
IPv6 address not configured on the VLAN. |
Event log messages
| Event | Message |
|---|---|
| RMON_AUTH_TWO_FACTOR_AUTHEN_STATUS | W 01/01/15 18:24:03 03397: auth: %s. Examples: W 01/01/15 18:24:03 03397: auth: Public key and username/password should be configured for the successful two-factor authentication. W 01/01/15 18:24:03 03397: auth: Username and password should be configured for the successful two-factor authentication. W 01/01/15 18:24:03 03397: auth: Public key should be configured for the successful two-factor authentication. I 01/01/15 18:24:03 03397: auth: The validation of certificate of SSH user (user1) is successful. |
| RMON_SSH_KEY_TWO_FACTOR_EN | W 01/01/15 18:24:03 03399: ssh: %s. Examples: W 01/01/15 18:24:03 03399: ssh: The client public keys without username will not be considered for the two-factor authentication for SSH session. W 01/01/15 18:24:03 03399: ssh: The privilege level for the user with the SSH key conflicts with the user configured. |
| RMON_SSH_TWO_FACTOR_AUTH_FAIL | W 01/01/15 18:24:03 03398: ssh: %s. Examples: W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in public key authentication. W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in username/password authentication. W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed due to the failure in validating the client certificate. W 01/01/15 18:24:03 03398: ssh: The two-factor authentication for SSH session failed as “ssh-server” certificate is not installed. |