Comware Based
1748288 Members
3366 Online
108761 Solutions
New Discussion

Re: NTP and the 5900 switch

 
meteorx
Occasional Contributor

NTP and the 5900 switch

HI. I'm reaching out to the community to get some help with configuring the 5900 as our internal NTP time source. I want it to get its time from the ntp.org pool. Initially I just added local time to the server using the "clock datetime" command. I think I have read somewhere best practice is to add UTC time here, and use the "clock timezone" command to set the offset (which for my country is UTC+2). However when I issue the "display clock" command it display the UTC time. I have issued the "ntp-service enable command" This makes me unsure; what time will this switch give downstream hosts?

 

This is output from display ntp-service stat;
 Clock status: unsynchronized
 Clock stratum: 16
 Reference clock ID: none
 Clock jitter: 0.000000 s
 Stability: 0.000 pps
 Clock precision: 2^-17
 Root delay: 0.00000 ms
 Root dispersion: 17.91382 ms
 Reference time: 00000000.00000000  Thu, Feb  7 2036  8:28:16.000

 

How should I preceed with this? Does  anyone know if the time given from the country zone is just a closer server, or will the time it gives my switch be the local time for that zone?

What command must I use to make the switch act as NPT server?

 

6 REPLIES 6
paulgear
Esteemed Contributor

Re: NTP and the 5900 switch

Hi meteorx,

 

To hopefully answer your questions:

  • NTP uses UTC for all synchronization; so you don't have to worry about your switch's time zone or that of its peers to configure NTP.  Use ntp-service unicast-server to configure your NTP sources.  You should always use at least 3 servers.
  • Best practice is to set your time zone to UTC if you administer systems in multiple time zones.  If all of your systems are in the same time zone and always will be, there is no point in following this, and it's best to use your local time zone.  Use clock timezone to set the correct time zone.
  • If NTP is working properly and you have set your time zone properly, display ntp-service sessions should show that you are synced with a server and have low offsets from your peers (within 50-100 ms is usually good enough if you're not a timing-sensitive site).
  • If NTP is working properly and you've set your time zone properly, display clock should show your local time.  If not, check the documentation or your switch CLI help to make sure you've got your clock timezone syntax right.

Hope that helps.

Regards,
Paul
Apachez-
Trusted Contributor

Re: NTP and the 5900 switch

This is how I do NTP on a 5820 unit:

 

acl number 2001 name v4-MGMT-NTP
 hardware-count enable
 rule 0 permit source <SERVER1> 0
 rule 5 permit source <SERVER2> 0
 rule 15 deny

acl ipv6 number 2001 name v6-MGMT-NTP
 hardware-count enable
 rule 0 deny


 ntp-service source-interface LoopBack0
 ntp-service access peer 2001
 ntp-service access server 2000
 ntp-service access synchronization 2000
 ntp-service access query 2000
 ntp-service unicast-server <SERVER1>
 ntp-service unicast-server <SERVER2>

 

In the above example I only use v4 NTP servers to sync against and dont let any NTP clients to sync against my 5820 (the clients will have to sync themselfs with the NTP servers directly in this case). Also you need to replace <SERVER1> and <SERVER2> to whatever NTP servers you prefer yourselfs (or add many more, in my current setup I have 6 NTP servers configured to sync against).

 

Also dont forget the IPv6 ACL... specially nowadays when NTP can be used as a reflector attack and be part of DDoS-attacks against others on the Internet.

meteorx
Occasional Contributor

Re: NTP and the 5900 switch

Thanks for the reply. Are you sure a NTP enabled device that are not exposed to the internet can be used in a reflector attack?
Apachez-
Trusted Contributor

Re: NTP and the 5900 switch

Well sure. Even if your clients cannot reach internet they can still get infected (through usb etc) and doing a ntp reflection attack within your network would get you the same troubles as one over ther internet.
Star1
New Member

Re: NTP and the 5900 switch

Hello Paul,
We recently had a power outage in one of our site, but after the power come back up the switches, routers and all network devices lost ntp sync after I added the static up rout and configured the ntp from the scratch but the ntp is stuck init status. How can I fix it please
EdMay
New Member

Re: NTP and the 5900 switch

I am looking to disable this, as you have suggested, but in your example, you reference acl 2001, which you give an example for, and 2000 which you do not give an example for.

-Should these all reference the same ACL? 

-also will the router check both the ipv6 and ipv4 version of the ACL, or just know which it should reference based upon the source address?

I hope you have time to reply,

Thank you