HI. I'm reaching out to the community to get some help with configuring the 5900 as our internal NTP time source. I want it to get its time from the ntp.org pool. Initially I just added local time to the server using the "clock datetime" command. I think I have read somewhere best practice is to add UTC time here, and use the "clock timezone" command to set the offset (which for my country is UTC+2). However when I issue the "display clock" command it display the UTC time. I have issued the "ntp-service enable command" This makes me unsure; what time will this switch give downstream hosts?
This is output from display ntp-service stat; Clock status: unsynchronized Clock stratum: 16 Reference clock ID: none Clock jitter: 0.000000 s Stability: 0.000 pps Clock precision: 2^-17 Root delay: 0.00000 ms Root dispersion: 17.91382 ms Reference time: 00000000.00000000 Thu, Feb 7 2036 8:28:16.000
How should I preceed with this? Does anyone know if the time given from the country zone is just a closer server, or will the time it gives my switch be the local time for that zone?
What command must I use to make the switch act as NPT server?
NTP uses UTC for all synchronization; so you don't have to worry about your switch's time zone or that of its peers to configure NTP. Use ntp-service unicast-server to configure your NTP sources. You should always use at least 3 servers.
Best practice is to set your time zone to UTC if you administer systems in multiple time zones. If all of your systems are in the same time zone and always will be, there is no point in following this, and it's best to use your local time zone. Use clock timezone to set the correct time zone.
If NTP is working properly and you have set your time zone properly, display ntp-service sessions should show that you are synced with a server and have low offsets from your peers (within 50-100 ms is usually good enough if you're not a timing-sensitive site).
If NTP is working properly and you've set your time zone properly, display clock should show your local time. If not, check the documentation or your switch CLI help to make sure you've got your clock timezone syntax right.
In the above example I only use v4 NTP servers to sync against and dont let any NTP clients to sync against my 5820 (the clients will have to sync themselfs with the NTP servers directly in this case). Also you need to replace <SERVER1> and <SERVER2> to whatever NTP servers you prefer yourselfs (or add many more, in my current setup I have 6 NTP servers configured to sync against).
Also dont forget the IPv6 ACL... specially nowadays when NTP can be used as a reflector attack and be part of DDoS-attacks against others on the Internet.
Well sure. Even if your clients cannot reach internet they can still get infected (through usb etc) and doing a ntp reflection attack within your network would get you the same troubles as one over ther internet.
