NTP and Clock | NVIDIA Onyx

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over variable-latency data networks. NTP is intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time (UTC) and is designed to mitigate the effects of variable network latency. NTP can usually maintain time to within tens of milliseconds over the public Internet, and can achieve better than one millisecond accuracy in local area networks under ideal conditions.

NTP Authenticate

When authentication of incoming NTP packets is enabled, the switch ensures that they come from an authenticated time source before using them for time synchronization on the switch. Authentication keys are created and added to the trusted list.

To add a key to be used for authentication, take the following steps.

Create the key.

switch (config)# ntp authentication-key 1 md5 password

Add the key to the trusted list.
```
switch (config)# ntp trusted-key 1
```

Assign the key to the server/peer.

switch (config)# ntp server 10.34.1.1 keyID 1

NTP Authentication Key

An authentication key may be created and used to authenticate incoming NTP packets. For the key to be used, make sure the following is in place.

It should be shared with the NTP server/peer sending the NTP packet.
It should be added to the trusted list.
NTP authenticate should be enabled on the system

Additional Reading and Use Cases

For more information about this feature and its potential applications, please refer to the following community post:

HowTo Enable NTP

NTP Commands

clock set

1		clock set <hh:mm:ss> [<yyyy/mm/dd>] Sets the time and date.
2	Syntax Description	hh:mm:ss	Time
		yyyy/mm/dd	Date
3	Default	N/A
4	Configuration Mode	config
5	History	3.1.0000
6	Example	switch (config) # clock set 23:23:23 2010/08/19
7	Related Commands	show clock
8	Notes	If not specified, the date will be left the same.

clock timezone

	clock timezone [<zone-word> [<zone-word> [<zone-word>] [<zone-word>]]] no clock timezone Sets the system time zone. The time zone may be specified in one of three ways: A nearby city whose time zone rules to follow. The system has a large list of cities which can be displayed by the help and completion system. They are organized hierarchically because there are too many of them to display in a flat list. A given city may be required to be specified in two, three, or four words, depending on the city An offset from UTC. This will be in the form UTC-offset UTC, UTC-offset UTC+<0-14>, UTC-offset UTC-<1-12> UTC (Universal Time, which is almost identical to GMT), and this is the default time zone The no form of the command resets time zone to its default (GMT).
Syntax Description	zone-word	Possible forms this could take include: continent, city, continent, country, city, continent, region, country, city, ocean, and/or island.
Default	GMT
Configuration Mode	config
History	3.1.0000
Example	switch (config) # clock timezone America North United_States Other New_York
Related Commands	show clock
Notes

ntp

	ntp { {[vrf <vrf-name>] { disable \| enable [force]}} \| {peer \| server} <IP address> [version <number> \| disable]} no ntp { {[vrf <vrf-name>] {disable \| enable}} \| {peer \| server} <IP address> [version <number> \| disable]} Configures NTP. The no form of the command negates NTP options.
Syntax Description	disable	Disables NTP.
	enable	Enables NTP.
	peer \| server	Configures an NTP peer or server node.
	IP address	IPv4 or IPv6 address.
	version <number>	Specifies the NTP version number of this peer. Possible values: 3 or 4
	vrf name—Describes the VRF name for NTP daemon. If the VRF parameter is not specified, the "default" VRF will be used implicitly force—This option will restart ntp with passed VRF context even if it was already enabled using other VRF.
Default	NTP is enabled NTP version number is 4
Configuration Mode	config
History	3.1.0000 3.9.2000—Added VRF option
Example	switch (config) # no ntp peer 192.168.10.24 disable
Related Commands
Notes	NTP can be enabled only in one VRF at a time.

ntpdate

	ntpdate <ip-address> Configures the system clock using the specified SNTP server.
Syntax Description	ip-address	IP address of SNTP server.
Default	N/A
Configuration Mode	config
History	3.1.0000
Example	switch (config) # ntpdate 192.168.10.1026 Feb 17:25:40 ntpdate[15206]: adjust time server 192.168.10.10 offset -0.000092 sec
Related Commands
Notes	This is a one-time operation and does not cause the clock to be kept in sync on an ongoing basis. It will generate an error if SNTP is enabled since the socket it requires will already be in use.

ntp authenticate

	ntp authenticate no ntp authenticate Enables NTP authentication. The no form of the command disables NTP authentication.
Syntax Description	N/A
Default	Disabled
Configuration Mode	config
History	3.5.0200
Example	switch (config) # ntp authenticate
Related Commands
Notes

ntp authentication-key

	ntp authentication-key <key-id> <encrypt-type> [<password>] no ntp authentication-key <key-id> Enables NTP authentication. The no form of the command disables NTP authentication.
Syntax Description	key-id	Specifies a key ID, whether existing or a new one to be added. Range: 1-65534
	encrypt-type	Specifies encryption type to use (md5, or sha1)
	password	Password string
Default	Disabled
Configuration Mode	config
History	3.5.0200
Example	switch (config) # ntp authentication-key 123 md5 examplepassswitch (config) # ntp authentication-key 1234 sha1Password: Confirm:
Related Commands
Notes	If a password is not entered, a prompt appears requiring that a password is introduced.

ntp peer disable

	ntp peer <ip-address> disable no ntp peer <ip-address> disable Temporarily disables this NTP peer. The no form of the command enables this NTP peer.
Syntax Description	ip-address	IP address of the peer.IPv4, IPv6 and hostname (FQDN) are acceptable.
Default	Disabled
Configuration Mode	config
History	3.5.0200 3.6.4000—Added hostname as option for ip-address, and added note
Example	switch (config) # ntp peer 10.10.10.10 disable
Related Commands
Notes	IP addresses must be in IPv4 format (e.g., '192.168.0.1') or IPv6 format with scope zone ID for IPv6 link-local addresses (e.g., '2001:db8:701f::8f9' or 'fe80::21c:23f:ec1:4fb%7'.) The length of a hostname is limited to 255 characters. Each label (node delimited by a dot in the hostname) is limited to 63 characters and may contain letters, numbers and hyphens ('-'), but may not begin with a hyphen.

ntp peer keyID

	ntp peer <ip-address> keyID <key-id> no ntp peer <ip-address> keyID <key-id> Specifies the KeyID of the NTP peer. The no form of the command removes key ID configuration from the NTP peer.
Syntax Description	ip-address	IP address of the peer.IPv4, IPv6 and hostname (FQDN) are acceptable.
	key-id	Range: 1-65534
Default	Disabled
Configuration Mode	config
History	3.5.0200 3.6.4000—Added hostname as option for ip-address, and added note
Example	switch (config) # ntp peer 10.10.10.10 keyID 120
Related Commands
Notes	IP addresses must be in IPv4 format (e.g., '192.168.0.1') or IPv6 format with scope zone ID for IPv6 link-local addresses (e.g., '2001:db8:701f::8f9' or 'fe80::21c:23f:ec1:4fb%7'.) The length of a hostname is limited to 255 characters. Each label (node delimited by a dot in the hostname) is limited to 63 characters and may contain letters, numbers and hyphens ('-'), but may not begin with a hyphen.

ntp peer version

	ntp peer <ip-address> version <ver-num> no ntp peer <ip-address> version <ver-num> Specifies the NTP version number of this peer. The no form of the command defaults NTP to version 4.
Syntax Description	ip-address	IP address of the peer.IPv4, IPv6 and hostname (FQDN) are acceptable.
	ver-num	NTP version. Possible values: 3 or 4
Default	4
Configuration Mode	config
History	3.5.0200 3.6.4000—Added hostname as option for ip-address, and added note
Example	switch (config) # ntp peer 10.10.10.10 version 4
Related Commands
Notes	IP addresses must be in IPv4 format (e.g., '192.168.0.1') or IPv6 format with scope zone ID for IPv6 link-local addresses (e.g., '2001:db8:701f::8f9' or 'fe80::21c:23f:ec1:4fb%7') The length of a hostname is limited to 255 characters. Each label (node delimited by a dot in the hostname) is limited to 63 characters and may contain letters, numbers and hyphens ('-'), but may not begin with a hyphen.

ntp server disable

	ntp server <ip-address> disable no ntp server <ip-address> disable Temporarily disables this NTP server. The no form of the command enables this NTP server.
Syntax Description	ip-address	IP address of the peer.IPv4, IPv6 and hostname (FQDN) are acceptable.
Default	Disabled
Configuration Mode	config
History	3.5.5000 3.6.4000—Added hostname as option for ip-address, and added note
Example	switch (config) # ntp server 10.10.10.10 disable
Related Commands
Notes	IP addresses must be in IPv4 format (e.g., '192.168.0.1') or IPv6 format with scope zone ID for IPv6 link-local addresses (e.g., '2001:db8:701f::8f9' or 'fe80::21c:23f:ec1:4fb%7'.) The length of a hostname is limited to 255 characters. Each label (node delimited by a dot in the hostname) is limited to 63 characters and may contain letters, numbers and hyphens ('-'), but may not begin with a hyphen.

ntp server keyID

	ntp server <ip-address> keyID <key-id> no ntp server <ip-address> keyID <key-id> Specifies the KeyID of the NTP server. The no form of the command removes key ID configuration from the NTP server.
Syntax Description	ip-address	IP address of the peer.IPv4, IPv6 and hostname (FQDN) are acceptable.
	key-id	Range: 1-65534
Default	Disabled
Configuration Mode	config
History	3.5.0200 3.6.4000—Added hostname as option for ip-address, and added note
Example	switch (config) # ntp server 10.10.10.10 keyID 120
Related Commands
Notes	IP addresses must be in IPv4 format (e.g., '192.168.0.1') or IPv6 format with scope zone ID for IPv6 link-local addresses (e.g., '2001:db8:701f::8f9' or 'fe80::21c:23f:ec1:4fb%7'.) The length of a hostname is limited to 255 characters. Each label (node delimited by a dot in the hostname) is limited to 63 characters and may contain letters, numbers and hyphens ('-'), but may not begin with a hyphen.

ntp server-role disable

	ntp server-role disable no ntp server-role disable Disables the switch's default ability to function as an NTP server. The no form of the command restores the switch's ability to function as an NTP server.
Syntax Description	N/A
Default	N/A
Configuration Mode	Configure terminal
History	3.8.2100
Role	Admin
Example	switch (config) # ntp server-role disable
Related Commands	show ntp
Notes	This command is configurable.

ntp server trusted-enable

	ntp server <ip-address> trusted-enable no ntp server <ip-address> trusted-enable Trusts this NTP server; if authentication is configured this will additionally force all time updates to only use trusted servers. The no form of the command removes trust from this NTP server.
Syntax Description	ip-address	IP address of the peer.IPv4, IPv6 and hostname (FQDN) are acceptable.
Default	N/A
Configuration Mode	config
History	3.6.2002 3.6.4000—Added hostname as option for ip-address, and added note
Example	switch (config) # ntp server 10.10.10.10 trusted-enable
Related Commands
Notes	IP addresses must be in IPv4 format (e.g., '192.168.0.1') or IPv6 format with scope zone ID for IPv6 link-local addresses (e.g., '2001:db8:701f::8f9' or 'fe80::21c:23f:ec1:4fb%7'.) The length of a hostname is limited to 255 characters. Each label (node delimited by a dot in the hostname) is limited to 63 characters and may contain letters, numbers and hyphens ('-'), but may not begin with a hyphen. NTP trusted servers can be used as a mitigation for Sybil attacks which is a vulnerability caused by NTP peers sharing the same NTP key base. This mitigation adds the concept of trusted servers which if enabled in conjunction with NTP authentication ensures that time information will only be obtained from trusted servers.

ntp server version

	ntp server <ip-address> version <ver-num> no ntp server <ip-address> version <ver-num> Specifies the NTP version number of this server. The no form of the command defaults NTP to version 4.
Syntax Description	ip-address	IP address of the peer.IPv4, IPv6 and hostname (FQDN) are acceptable.
	ver-num	NTP version. Possible values: 3 or 4
Default	4
Configuration Mode	config
History	3.5.0200 3.6.4000—Added hostname as option for ip-address, and added note
Example	switch (config) # ntp server 10.10.10.10 version 4
Related Commands
Notes	IP addresses must be in IPv4 format (e.g., '192.168.0.1') or IPv6 format with scope zone ID for IPv6 link-local addresses (e.g., '2001:db8:701f::8f9' or 'fe80::21c:23f:ec1:4fb%7') The length of a hostname is limited to 255 characters. Each label (node delimited by a dot in the hostname) is limited to 63 characters and may contain letters, numbers and hyphens ('-'), but may not begin with a hyphen

ntp trusted-key

	ntp trusted-key <key(s)> no ntp trusted-key <key(s)> Adds one or more keys to the trusted key list. The no form of the command removes keys from the trusted key list.
Syntax Description	key(s)	Range: 1-65534
Default	Disabled
Configuration Mode	config
History	3.5.0200
Example	switch (config) # ntp trusted-key 1,3,5switch (config) # ntp trusted-key 1-5
Related Commands
Notes	Keys may be separated with commas without any space, or they may be set as a range using a hyphen.

show clock

	show clock Displays the current system time, date and time zone.
Syntax Description	N/A
Default	N/A
Configuration Mode	Any command mode
History	3.1.0000 3.6.6000—Updated example
Example	switch (config) # show clock Time: 02:48:41Date: 2018/1/1Time zone: UTC (Etc/UTC)UTC offset: same as UTC
Related Commands
Notes

show ntp

	show ntp Displays the current NTP settings.
Syntax Description	N/A
Default	N/A
Configuration Mode	Any command mode
History	3.1.0000 3.5.0200—Updated example 3.6.6000—Updated example 3.9.2000—Updated example
Example	switch (config)# show ntp NTP is administratively : enabledVRF name : mgmt NTP Authentication administratively: disabled NTP server role : enabled Clock is synchronized: Reference: 10.7.7.134 Offset : -0.038 ms Active servers and peers: 10.7.7.134: Conf Type : serv Status : sys.peer(*) Stratum : 3 Offset(msec) : -0.038 Ref clock : 192.14.55.225 Poll Interval (sec): 128 Last Response (sec): 101 Auth state : none
Related Commands
Notes

show ntp configured

	show ntp configured Displays NTP configuration.
Syntax Description	N/A
Default	N/A
Configuration Mode	Any command mode
History	3.1.0000 3.6.6102—Updated example
Example
switch (config) # show ntp configured NTP enabled: yesNTP Authentication enabled: noNTP peer 0.us.pool.ntp.org # Hostname peer configuration Resolved as: 45.79.111.114 Enabled: yes NTP version: 4 Key ID: noneNTP peer 2.3.1.3 # IP peer configuration Enabled: yes NTP version: 4 Key ID: noneNTP server vnc23 # Hostname server configuration Resolved as: 10.7.2.23 Enabled: yes NTP version: 4 Key ID: none Trusted: noNTP server 1.2.3.4 # IP server configuration Enabled: yes NTP version: 4 Key ID: none Trusted: noNTP server idontexist (DNS resolution failed. Reset or reconfigure NTP to try again) Enabled: yes NTP version: 4 Key ID: none Trusted: no
Related Commands
Notes

show ntp keys

	show ntp configured Displays NTP keys.
Syntax Description	N/A
Default	N/A
Configuration Mode	Any command mode
History	3.5.0200
Example	switch (config) # show ntp keys NTP Key 1 Trusted: yes Encryption Type: MD5NTP Key 2 Trusted: yes Encryption Type: MD5NTP Key 3 Trusted: yes Encryption Type: MD5NTP Key 4 Trusted: yes Encryption Type: md5
Related Commands
Notes

Last updated: March 01, 2023