Cisco IOS Configuration Fundamentalsby Cisco Systems, Inc., Inc Staff Cisco Systems, Anc Staff Cisco Systems
This comprehensive guide details the Cisco IOS™ software configuration basics. Configuration Fundamentals offers thorough coverage of router and access server configuration and maintenance techniques. In addition to hands-on implementation and task instruction, this book also presents the complete syntax for router and access server commands, and individual examples of each command. Learn to configure interfaces in addition to system management, file loading, AutoInstall, and set up functions.
Read an Excerpt
From Chapter 9: Managing the System
The system clock cannot provide time to the NTP or VINES Time Service if it was set using SNTP.
The system clock keeps track of time internally based on Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight savings time) so that the time is displayed correctly relative to the local time zone.
The system clock keeps track of whether the time is "authoritative" or not (that is, whether it has been set by a time source considered to be authoritative). If it is not authoritative, the time is available only for display purposes and is not redistributed.
Understanding the Network Time Protocol
The Network Time Protocol (NTP) is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP. NTP is documented in RFC 1305.
An NTP network usually gets its time from an authoritative time source, such as radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each other.
NTP uses the concept of a "stratum" to describe how many NTP "hops" away a machine is from an authoritative time source. A "stratum 1" time server has a radio or atomic clock directly attached, a "stratum 2" time server receives its time via NTP from a "stratum 1" time server, an so on. A machine running NTP will automatically choose as its time source the machine with the lowest stratum number thatis configured to communicate with via NTP. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP is careful to avoid synchronizing to a machine whose time may not be accurate. It avoids doing do in two ways. First of all, NTP will never synchronize to a machine that is not in turn synchronized itself. Secondly, NTP will compare the time reported by several machines, and will not synchronize to a machine whose time is significantly different than the others, even if its stratum is lower.
The communications between machines running NTP (known as "associations") are usually statically configured; each machine is given the IP address of all machines with which it should form associations. Accurate timekeeping is made possible by exchanging NTP messages between each pair of machines with an association. However, in a local area network (LAN) environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each machine can simply be configured to send or receive broadcast messages. However, the accuracy of timekeeping is marginally reduced because the information flow is only one-way.
The time kept on a machine is a critical resource, so we strongly recommend that you use the security features of NTP to avoid the accidental or malicious setting of incorrect time. Two mechanisms are valuable: an access list-based restriction scheme and an encrypted authentication mechanism.
Cisco's implementation of NTP does not support stratum 1 service; in other words, it is not possible to connect to a radio or atomic clock. It is recommended that time service for your network be derived from the public NTP servers available in the IP Internet. If the network is isolated from the Internet, Cisco's implementation of NTP allows a machine to be configured so that it acts as though it is synchronized via NTP, when in fact it has determined the time by using other means. Other machines then synchronize to that machine via NTP.
When multiple sources of time (VINES, Cisco 7000 calendar, manual configuration) are available, NTP is always considered to be more authoritative. NTP time overrides the time set by any other method.
A number of manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well.
Understanding the Simple Network Time Protocol (SNTP)
Simple Network Time Protocol (SNTP) is a simplified, client-only version of NTP for use on Cisco 1003, Cisco 1004, and Cisco 1005 routers. SNMP can receive the time only from NTP servers; it cannot be used to provide time services to other systems.
SNTP typically provides time within 100 milliseconds of the accurate time, but is does not provide the complex filtering and statistical mechanisms of NTP. In addition, SNTP does not authenticate traffic, although you can configure extended access lists to provide some protection. An SNTP client is more vulnerable to misbehaving servers than an NTP client and should be used only in situations in which strong authentication is not required.
You can configure SNTP to request and accept packets from configured servers or to accept NTP broadcast packets from any source. When multiple sources are sending NTP packets, the server with the best stratum is selected. If multiple servers are at the same stratum, a configured server is preferred over a broadcast server. If multiple servers pass both tests, the first one to send a time packet is selected. SNTP chooses a new server only if it stops receiving packets from the currently selected server, or if a better server (according to the previous criteria) is discovered.
Understanding the VINES Time Service
Time service is also available when Banyan VINES is configured. This protocol is a standard part of VINES. Cisco's implementation allows the VINES time service to be used in two ways. First, if the system has learned the time from some other source, it can act as a VINES time server and provide time to other machines running VINES. It also can use the VINES time service to set the system clock if no other form of time service is available.
Using the Cisco 7000 Calendar
The Cisco 7000 contains a battery-powered calendar system that tracks the date and time across system restarts and power outages. This calendar system is always used to initialize the system clock when the system is restarted. It can also be considered to be an authoritative source of time and be redistributed via NTP or VINES time service if no other source is available. Furthermore, if NTP is running, the Cisco 7000 calendar can be periodically updated from NTP, compensating for the inherent drift in the calendar time.
NTP services are enabled on all interfaces by default. The optional tasks you can perform are documented in the following sections:
- Configuring NTP Authentication
- Configuring NTP Associations
- Configuring NTP Broadcast Service
- Configuring NTP Access Restrictions
- Configuring the Source IP Address for NTP Packets
- Configuring the System as an Authoritative NTP Server
- Configuring NTP to Update the Cisco 7000 Calendar...
Most Helpful Customer Reviews
See all customer reviews