3 Configuring Network Time

Protocol (NTP)

Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio or satellite receiver. It provides client time accuracies within a millisecond on LANs, and up to a few tens of milliseconds on WANs relative to a primary server synchronized to Universal Coordinated Time (UTC) (via a Global Positioning Service receiver, for example).

In This Chapter

This chapter describes the basic components of the OmniSwitch implementation of Network Time Protocol and how to configure it through Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Refer-

ence Guide.

Configuration procedures described in this chapter include:

•

Enabling the NTP client and selecting the NTP mode. See “Configuring the OmniSwitch as a Client” on page 3-9 .

• Selecting an NTP server for the NTP client and modifying settings for communicating with the server.

See

“NTP Servers” on page 3-10

.

•

Enabling authentication in NTP negotiations. See “Using Authentication” on page 3-12 .

OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 3-1

NTP Specifications Configuring Network Time Protocol (NTP)

NTP Specifications

RFCs supported 1305–Network Time Protocol

Maximum number of NTP servers per client 3

NTP Defaults Table

The following table shows the default settings of the configurable NTP parameters:

NTP Defaults

Parameter Description Command

Specifies an NTP server from which this switch will receive updates ntp server

Used to activate client

Used to activate NTP client broadcast mode

Used to set the advertised broadcast delay, in microseconds ntp client ntp broadcast ntp broadcast-delay

Default Value/Comments version: 4 minpoll: 6 prefer: no key: 0 disabled disabled

4000 microseconds page 3-2 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007

Configuring Network Time Protocol (NTP) NTP Quick Steps

NTP Quick Steps

The following steps are designed to show the user the necessary commands to set up NTP on an

OmniSwitch:

1 Designate an NTP server for the switch using the switch with its NTP time information. For example: ntp server command. The NTP server provides the

-> ntp server 1.2.5.6

2 Activate the client side of NTP on the switch using the ntp client command. For example:

-> ntp client enable

3 You can check the server status using the show ntp server status command, as shown:

-> show ntp server status 198.206.181.139

IP address = 198.206.181.139,

Host mode = client,

Peer mode = server,

Prefer = no,

Version = 4,

Key = 0,

Stratum = 2,

Minpoll = 6 (64 seconds),

Maxpoll = 10 (1024 seconds),

Delay = 0.016 seconds,

Offset = -180.232 seconds,

Dispersion = 7.945 seconds

Root distance = 0.026,

Precision = -14,

Reference IP = 209.81.9.7,

Status = configured : reachable : rejected,

Uptime count = 1742 seconds,

Reachability = 1,

Unreachable count = 0,

Stats reset count = 1680 seconds,

Packets sent = 1,

Packets received = 1,

Duplicate packets = 0,

Bogus origin = 0,

Bad authentication = 0,

Bad dispersion = 0,

Last Event = peer changed to reachable,

4 You can check the list of servers associated with this client using the command, as shown: show ntp client server-list

-> show ntp client server-list

IP Address Ver Key St Delay Offset Disp

================+===+=======+====+==========+=================+==========

1.2.5.6

4 0 2 0.06

-0.673

0.017

OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 3-3

NTP Quick Steps Configuring Network Time Protocol (NTP)

5 You can check the client configuration using the show ntp client command, as shown:

-> show ntp client

Current time: THU SEP 15 2005 17:44:54 (UTC)

Last NTP update: THU SEP 15 2005 17:30:54

Client mode: enabled

Broadcast client mode: disabled

Broadcast delay (microseconds): 4000 page 3-4 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007

Configuring Network Time Protocol (NTP) NTP Overview

NTP Overview

Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio or satellite receiver. It provides client time accuracies within a millisecond on LANs, and up to a few tens of milliseconds on WANs relative to a primary server synchronized to Universal Coordinated Time (UTC) (via a Global Positioning Service receiver, for example). Typical NTP configurations utilize multiple redundant servers and diverse network paths in order to achieve high accuracy and reliability. Some configurations include cryptographic authentication to prevent accidental or malicious protocol attacks.

It is important for networks to maintain accurate time synchronization between network nodes. The standard timescale used by most nations of the world is based on a combination of UTC (representing the

Earth’s rotation about its axis), and the Gregorian Calendar (representing the Earth’s rotation about the

Sun). The UTC timescale is disciplined with respect to International Atomic Time (TAI) by inserting leap seconds at intervals of about 18 months. UTC time is disseminated by various means, including radio and satellite navigation systems, telephone modems, and portable clocks.

Special purpose receivers are available for many time-dissemination services, including the Global Position System (GPS) and other services operated by various national governments. For reasons of cost and convenience, it is not possible to equip every computer with one of these receivers. However, it is possible to equip some computers with these clocks, which then act as primary time servers to synchronize a much larger number of secondary servers and clients connected by a common network. In order to do this, a distributed network clock synchronization protocol is required which can read a server clock, transmit the reading to one or more clients, and adjust each client clock as required. Protocols that do this include

NTP.

Note. The OmniSwitch 6800, 6850, and 9000 switches can only be NTP clients in an NTP network. They cannot act as NTP servers.

OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 3-5

NTP Overview Configuring Network Time Protocol (NTP)

Stratum

Stratum is the term used to define the relative proximity of a node in a network to a time source (such as a radio clock). Stratum 1 is the server connected to the time source itself. (In most cases the time source and the stratum 1 server are in the same physical location.) An NTP client or server connected to a stratum 1 source would be stratum 2. A client or server connected to a stratum 2 machine would be stratum 3, and so on, as demonstrated in the diagram below:

UTC Time Source Stratum 1 Stratum 2 Stratum 3

The farther away from stratum 1 a device is, the more likely there will be discrepancies or errors in the time adjustments done by NTP. A list of stratum 1 and 2 sources available to the public can be found on the Internet.

Note. It is not required that NTP be connected to an officially recognized time source (for example, a radio clock). NTP can use any time source to synchronize time in the network.

Using NTP in a Network

NTP operates on the premise that there is one true standard time (defined by UTC), and that if several servers claiming synchronization to the standard time are in disagreement, then one or more of them must be out of synchronization or not functioning correctly. The stratum gradiation is used to qualify the accuracy of a time source along with other factors, such as advertised precision and the length of the network path between connections. NTP operates with a basic distrust of time information sent from other network entities, and is most effective when multiple NTP time sources are integrated together for checks and crosschecks. To achieve this end, there are several modes of operation that an NTP entity can use when synchronizing time in a network. These modes help predict how the entity behaves when requesting or sending time information, listed below:

• A switch can be a client of an NTP server (usually of a lower stratum), receiving time information from the server but not passing it on to other switches.

• A switch can be a client of an NTP server, and in turn be a server to another switch or switches.

• A switch (regardless of its status as either a client or server) must be peered with another switch. Peering allows NTP entities in the network of the same stratum to regard each other as reliable sources of time and exchange time information.

page 3-6 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007

Configuring Network Time Protocol (NTP)

Examples of these are shown in the simple network diagram below:

UTC Time Source

NTP Overview

Stratum 1

NTP

Servers

1a 1b

Stratum 2

NTP

Server/Clients

2a 2b

Stratum 3

NTP

Clients

3a 3b

Servers 1a and 1b receive time information from, or synchronize with, a UTC time source such as a radio clock. (In most cases, these servers would not be connected to the same UTC source, though it is shown this way for simplicity.) Servers 1a and 1b become stratum 1 NTP servers and are peered with each other, allowing them to check UTC time information against each other. These machines support machines 2a and 2b as clients, and these clients are synchronized to the higher stratum servers 1a and 1b.

Clients 2a and 2b are also peered with each other for time checks, and become stratum 2 NTP servers for more clients (3a and 3b, which are also peered). In this hierarchy, the stratum 1 servers synchronize to the most accurate time source available, then check the time information with peers at the same stratum. The stratum 2 machines synchronize to the stratum 1 servers, but do not send time information to the stratum 1 machines. Machines 2a and 2b in turn provide time information to the stratum 3 machines. It is important to consider the issue of robustness when selecting sources for time synchronization.

It is suggested that at least three sources should be available, and at least one should be “close” to you in terms of network topology. It is also suggested that each NTP client is peered with at least three other same stratum clients, so that time information crosschecking is performed.

Note. Alcatel-Lucent’s current implementation of NTP only allows the OmniSwitch to act as a passive client, not as a server. A passive client only receives NTP information and adjusts its time accordingly. In the above example, an OmniSwitch could be either Server 3a or 3b. An OmniSwitch as Server 3a or 3b would also not be able to peer with other servers on the same stratum.

OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 3-7

NTP Overview Configuring Network Time Protocol (NTP)

When planning your network, it is helpful to use the following general rules:

• It is usually not a good idea to synchronize a local time server with a peer (in other words, a server at the same stratum), unless the latter is receiving time updates from a source that has a lower stratum than from where the former is receiving time updates. This minimizes common points of failure.

• Peer associations should only be configured between servers at the same stratum level. Higher Strata should configure lower Strata, not the reverse.

• It is inadvisable to configure time servers in a domain to a single time source. Doing so invites common points of failure.

Note. NTP does not support year date values greater than 2035 (the reasons are documented in RFC 1305 in the data format section). This should not be a problem (until the year 2035) as setting the date this far in advance runs counter to the administrative intention of running NTP.

Authentication

NTP is designed to use MD5 encryption authentication to prevent outside influence upon NTP timestamp information. This is done by using a key file. The key file is loaded into the switch memory, and consists of a text file that lists key identifiers that correspond to particular NTP entities.

If authentication is enabled on an NTP switch, any NTP message sent to the switch must contain the correct key ID in the message packet to use in decryption. Likewise, any message sent from the authentication enabled switch will not be readable unless the receiving NTP entity possesses the correct key ID.

The key file is a text (.txt) file that contains a list of keys that are used to authenticate NTP servers. It should be located in the /networking directory of the switch.

Key files are created by a system administrator independent of the NTP protocol, and then placed in the switch memory when the switch boots. An example of a key file is shown below:

2

14

M

M

RIrop8KPPvQvYotM sundial

# md5 key as an ASCII random string

# md5 key as an ASCII string

In a key file, the first token is the key number ID, the second is the key format, and the third is the key itself. (The text following a “#” is not counted as part of the key, and is used merely for description.) The key format indicates an MD5 key written as a 1 to 31 character ASCII string with each character standing for a key octet.

The key file (with identical MD5 keys) must be located on both the local NTP client and the client’s server.

page 3-8 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007

Configuring Network Time Protocol (NTP) Configuring NTP

Configuring NTP

The following sections detail the various commands used to configure and view the NTP client software in an OmniSwitch.

Configuring the OmniSwitch as a Client

The NTP software is disabled on the switch by default. To activate the switch as an NTP client, enter the ntp client command as shown:

-> ntp client enable

This sets the switch to act as an NTP client in the passive mode, meaning the client will receive updates from a designated NTP server.

To disable the NTP software, enter the ntp client command as shown:

-> ntp client disable

Setting the Client to Broadcast Mode

It is possible to configure an NTP client to operate in the broadcast mode. Broadcast mode specifies that a client switch listens on all interfaces for server broadcast timestamp information. It uses these messages to update its time.

To set an OmniSwitch to operate in the broadcast mode, enter the ntp broadcast command as shown:

-> ntp broadcast enable

A client in the broadcast mode does not need to have a specified server.

Setting the Broadcast Delay

When set to the broadcast mode, a client needs to advertise a broadcast delay. The broadcast mode is intended for operation on networks with numerous workstations and where the highest accuracy is not required. In a typical scenario, one or more time servers on the network, broadcast NTP messages, which are received by NTP hosts. The correct time is determined from an NTP message based on a pre-configured latency or broadcast delay in the order of a few milliseconds.

To set the broadcast delay, enter the ntp broadcast-delay command as shown:

-> ntp broadcast delay 1000

OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 3-9

Configuring NTP Configuring Network Time Protocol (NTP)

NTP Servers

An NTP client needs to receive NTP updates from an NTP server. Each client must have at least one server with which it synchronizes (unless it is operating in broadcast mode). There are also adjustable server options.

Designating an NTP Server

To configure an NTP client to receive updates from an NTP server, enter the ntp server command with the server IP address or domain name, as shown:

-> ntp server 1.1.1.1

or

-> ntp server spartacus

It is possible to remove an NTP server from the list of servers from which a client synchronizes. To do this, enter the ntp server command with the no prefix, as shown:

-> no ntp server 1.1.1.1

Enabling/Disabling NTP Server Synchronization Tests

To enable an NTP client to invoke NTP server synchronization tests as specified by the NTP protocol, enter the ntp server synchronized command as shown:

-> ntp server synchronized

NTP synchronization is enabled by default.

Note. The NTP protocol discards the NTP servers that are unsynchronized.

To disable an NTP client from invoking tests for NTP server synchronization, enter the ntp server unsynchronized command, as shown:

-> ntp server unsynchronized

Disabling peer synchronization tests allows the NTP client to synchronize with either an NTP peer that is not synchronized with an atomic clock or a network of NTP servers that will finally synchronize with an atomic clock.

Setting the Minimum Poll Time

The minimum poll time is the number of seconds that the switch waits before requesting a time synchronization from the NTP server. This number is determined by raising 2 to the power of the number entered using the ntp server command with the server IP address (or domain name) and the minpoll keyword.

For example, to set the minimum poll time to 128 seconds, enter the following:

-> ntp server 1.1.1.1 minpoll 7

This would set the minimum poll time to 2 7 = 128 seconds.

page 3-10 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007

Configuring Network Time Protocol (NTP) Configuring NTP

Setting the Version Number

There are currently four versions of NTP available (numbered one through four). The version that the NTP server uses must be specified on the client side.

To specify the NTP version on the server from which the switch receives updates, use the ntp server command with the server IP address (or domain name), version keyword, and version number, as shown:

-> ntp server 1.1.1.1 version 3

The default setting is version 4.

Marking a Server as Preferred

If a client receives timestamp updates from more than one server, it is possible to mark one of the servers as the preferred server. A preferred server’s timestamp will be used before another unpreferred server timestamp.

To specify an NTP as preferred, use the ntp server command with the server IP address (or domain name) and the prefer keyword, as shown:

-> ntp server 1.1.1.1 prefer

OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 3-11

Configuring NTP Configuring Network Time Protocol (NTP)

Using Authentication

Authentication is used to encrypt the NTP messages sent between the client and server. The NTP server and the NTP client must both have a text file containing the public and secret keys. (This file should be

obtained from the server administrator. For more information on the authentication file, see “Authentication” on page 3-8 .)

Once both the client and server share a common MD5 encryption key, the MD5 key identification for the

NTP server must be specified on and labeled as trusted on the client side.

Setting the Key ID for the NTP Server

Enabling authentication requires the following steps:

1 Make sure the key file is located in the /networking directory of the switch. This file must contain the key for the server that provides the switch with its timestamp information.

2 Make sure the key file with the NTP server’s MD5 key is loaded into the switch memory by issuing the ntp key load command, as shown:

-> ntp key load

3 Set the server authentication key identification number using the ntp server command with the key keyword. This key identification number must be the one the server uses for MD5 encryption. For example, to specify key identification number 2 for an NTP server with an IP address of 1.1.1.1, enter:

-> ntp server 1.1.1.1 key 2

4 Specify the key identification set above as trusted. A key that has been labeled as trusted is ready for use in the authentication process. To set a key identification to be trusted, enter the ntp key command with the key identification number and trusted keyword. For example, to set key ID 5 to trusted status, enter the following:

-> ntp key 5 trusted

Untrusted keys, even if they are in the switch memory and match an NTP server, will not authenticate

NTP messages.

5 A key can be set to untrusted status by using the ntp key command with the untrusted keyword. For example, to set key ID 5 to untrusted status, enter the following:

-> ntp key 5 untrusted page 3-12 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007

Configuring Network Time Protocol (NTP) Verifying NTP Configuration

Verifying NTP Configuration

To display information about the NTP client, use the show commands listed in the following table: show ntp client show ntp server status show ntp client server-list show ntp keys

Displays information about the current client NTP configuration.

Displays the basic server information for a specific NTP server or a list of NTP servers.

Displays a list of the servers with which the NTP client synchronizes.

Displays information about all authentication keys.

For more information about the resulting displays from these commands, see the “NTP Commands” chapter in the OmniSwitch CLI Reference Guide.

Examples of the show ntp client, show ntp server status, and show ntp client server-list command outputs are given in the section

“NTP Quick Steps” on page 3-3 .

OmniSwitch 6800/6850/9000 Switch Management Guide December 2007 page 3-13

Verifying NTP Configuration Configuring Network Time Protocol (NTP) page 3-14 OmniSwitch 6800/6850/9000 Switch Management Guide December 2007