Wired Intelligent Edge

last person joined: 6 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

ArubaOS-CX as an NTP Time Server

This thread has been viewed 46 times
  • 1.  ArubaOS-CX as an NTP Time Server

    Posted Apr 12, 2019 01:13 AM

    ArubaOS-CX 10.02 introduced the capability to act as a server for NTP, also known as NTP master.

     

    ArubaOS-CX NTP Client Config
    Check the existing NTP client config on the CX switch. (In the example below, the Windows server 10.2.10.2 is not responding to NTP.)

    ntp server 10.2.10.2
    ntp server 10.2.10.3
    ntp enable
    ntp vrf mgmt
    
    8320-upper# sh ntp associations
    ----------------------------------------------------------------------
    ID NAME REMOTE REF-ID ST LAST POLL REACH
    ----------------------------------------------------------------------
    1 10.2.10.2 10.2.10.2 .INIT. 16 - 1024 0
    * 2 10.2.10.3 10.2.10.3 16.110.135.123 3 997 1024 377
    ----------------------------------------------------------------------

     

    ArubaOS-CX NTP Server Config

    NTP master is enabled by default, with no settings.

    8320-upper# sh ntp master
    
    NTP Master Status : Enabled
    
    -----------
    VRF Stratum
    -----------

    To complete the config, add the extra parameters to the config (from the primary if in a VSX cluster):

    ntp master vrf default stratum 3

    If you are running this in a VSX cluster, the ntp master line will be synchronised to the secondary switch.

    8320-lower# sh run | in ntp
    ntp server 10.2.10.2
    ntp server 10.2.10.3
    ntp enable
    ntp vrf mgmt
    ntp master vrf default stratum 3

     

    Config for ArubaOS-Switch (also ProCurve)
    I have added the loopback addresses of both 8320 switches in the VSX cluster. The VLAN interface IPs also work (eg 10.80.32.7 and 10.80.32.8).

    timesync ntp
    ntp unicast
    ntp server 10.80.255.7
    ntp server 10.80.255.8
    ntp enable

    My timezone settings for Sydney Australia:

    time daylight-time-rule user-defined begin-date 10/01 end-date 04/01
    time timezone 600

     

    3500in8xxx(config)# sh ntp associations
    
    NTP Associations Entries
    
    
    Remote St T When Poll Reach Delay Offset Dispersion
    --------------- ---- ---- ------ ----- -------- -------- -------- ----------
    10.80.255.7 4 u 75 10 3 0.000 0.000 15.87588
    10.80.255.8 4 u 75 10 3 0.000 0.000 15.87552

     

    Other Notes
    NTP master is not a virtualized function on ArubaOS-CX. The virtual IP address will not work if you try and use it. 10.80.32.1 is the virtual IP address in this example. Note that it is set to Stratum 16 - this never changes.

    3500in8xxx(config)# sh ntp associations
    
    NTP Associations Entries
    
    
    Remote St T When Poll Reach Delay Offset Dispersion
    --------------- ---- ---- ------ ----- -------- -------- -------- ----------
    10.80.32.1 16 75 17 0 0.000 0.000 15.93835

    NTP authentication isn't currently supported with the OS-CX device acting as server/master.



  • 2.  RE: ArubaOS-CX as an NTP Time Server

    Posted Oct 05, 2019 12:50 PM

    Is NTP Master supported i.c.m with Active-Gateway?

     

    My ntp clients seems to communiate only with the real interface IP's and not the active gateway IP



  • 3.  RE: ArubaOS-CX as an NTP Time Server

    Posted Oct 09, 2019 01:48 PM

    I just got a message from TAC, saying it is not possible. Below a good explanation from TAC:

     

     

    "This is possible to source NTP traffic from the active-gateway Virtual IP, It is inappropriate as the logic behind this Virtual IP is purely for ARP scope. Indeed, as this is not a protocol based VIP (like VRRP), there is no guarantee that for a handshake communication between the NTP server and the NTP client the return packet will go through the same CX node.
    
    Say the NTP communication is initiated by VSX primary with VIP, there is a possibility that packet might comes back through VSX secondary which will handle the received packet as hosting the destination IP, but which will be out-of-sync for NTP protocol as not sourcing this request sequence."

     

     



  • 4.  RE: ArubaOS-CX as an NTP Time Server

    Posted 19 days ago
    Hi Fabian, is what TAC reported to you still currently valid (NTP Server deployed on a VSX cluster)?

    ------------------------------
    Davide Poletto
    ------------------------------



  • 5.  RE: ArubaOS-CX as an NTP Time Server

    Posted 21 days ago

    Update

    A quick refresh on this Howto guide. Not much has changed, but I did test iburst (to speed up time sync).
    Also a comment that the 8320 is not a very good device to use as a time source, since it doesn't have an internal battery-backed RTC, but it was what was available at the time.

    CX6300 as NTP Source

    • The 6300 gets its source from the Google time servers (there is a .0 as well, but it doesn't work with ProCurve/AOSS, so I never use it)
    • This is via the MGMT port (mgmt VRF)
    • NTP configured as a master, stratum 3, in VRF default (172.20.100.1 is one of the 6300 IPs in that VRF)

    ntp server 216.239.35.12 iburst
    ntp server 216.239.35.4 iburst
    ntp server 216.239.35.8 iburst
    ntp enable
    ntp vrf mgmt
    ntp master vrf default stratum 3​


    The CX6300 now has NTP running as a master, and other network devices can point to it for time sync.

    CX6200 using the 6300 NTP source

    ntp server 172.20.100.1 iburst prefer
    ntp enable
    ntp vrf mgmt

    Using iburst speeds up sync from what was previously 30-40min, to almost immediately.

    CX6200# sh ntp associations detail
    ----------------------------------------------------------------------
     ID            NAME          REMOTE          REF-ID ST LAST POLL REACH
    ----------------------------------------------------------------------
    * 1    172.20.100.1    172.20.100.1        LOCAL(0)  4 1052 1024   377
    ----------------------------------------------------------------------
    
    NTP Association Key
       code    : First character of each line is the Tally code (Explained below)
       ID      : Server number
       NAME    : NTP server name or IPv4/v6 address (only the first 24 characters of the name are displayed)
       REMOTE  : Remote server IPv4/v6 address
       REF_ID  : Reference ID for the remote server (Can be an IP address). See NTP docs for more information.
       Stratum : (ST) Number of hops between the client and the reference clock.
       LAST    : Time since the last packet was received (seconds unless unit is provided)
       POLL    : Interval (in seconds) between NTP poll packets. Maximum (1024) reached as server and client syncs.
       REACH   : 8-bit octal number that displays status of last eight NTP messages (377 = all messages received).
    
    Key for the Tally code
    This field displays the current selection status.
         : No state information available (e.g. non-responding server)
       x : Out of tolerance (discarded by intersection algorithm)
       . : Discarded by table overflow (not used)
       - : Out of tolerance (discarded by the cluster algorithm)
       + : Good and a preferred remote peer or server (included by the combine algorithm)
       # : Good remote peer or server, but not utilized (ready as a backup source)
       * : Remote peer or server presently used as a primary reference
       o : PPS peer (when the prefer peer is valid)
    CX6200# sh ntp statistics
                     Rx-pkts  158292
     Current Version Rx-pkts  6678
         Old Version Rx-pkts  0
                  Error pkts  0
            Auth-failed pkts  0
               Declined pkts  0
             Restricted pkts  0
           Rate-limited pkts  0
                    KOD pkts  0
    CX6200# sh ntp status
    NTP Status Information
    
    NTP                        : Enabled
    NTP Authentication         : Disabled
    NTP Server Connections     : Using the mgmt VRF
    
    System time                : Sat Sep  4 23:37:13 AEST 2021
    NTP uptime                 : 26 days, 12 hours, 24 minutes, 35 seconds
    
    NTP Synchronization Information
    
    NTP Server                 : 172.20.100.1 at stratum 4
    Poll interval              : 1024 seconds
    Time accuracy              : Within -0.000153 seconds
    Reference time             : Sat Sep  4 2021 23:35:34.934 as per Australia/Sydney
    ​


    ------------------------------
    Richard Litchfield
    Airheads MVP 2020, 2021
    ------------------------------



  • 6.  RE: ArubaOS-CX as an NTP Time Server

    Posted 19 days ago
    Hi Richard, reading your comment: "Also a comment that the 8320 is not a very good device to use as a time source, since it doesn't have an internal battery-backed RTC, but it was what was available at the time." I ask myself if this fact is really so bad?

    I mean...if an Aruba 8320 acting as NTP Server (and being fully synchronized with higher stratum NTP Servers) suddenly reboots what's the issue if [*] the NTP (re)synchronization to NTP Servers is going happen immediately after the boot has come to an end and before starting to serve NTP Clients again? not to defend the Aruba 8320 hardware architecture...just curious.

    [*] I hope it works this way... ;-). 


    ------------------------------
    Davide Poletto
    ------------------------------



  • 7.  RE: ArubaOS-CX as an NTP Time Server

    Posted 19 days ago
    Davide, you are correct for a single failure: eg switch fails or is rebooted as part of a firmware live-upgrade.

    However, when both switches fail at once, it is a different story! I had the the unfortunate personal experience of seeing that happen in that location with those two switches when there was a complete power outage, and everything was offline for some days. The upstream NTP servers did not support iburst, so the time taken for the 8320s to get back into sync was a lot longer than the local devices took to power on and start up with whatever oddball time they started with like 1970, 1980, a week prior, etc. The 8320s also started with whatever their default start time was (like 2010), before taking a considerable period to sync forward 10 years.

    Now the 8320s are NTP clients only.


    ------------------------------
    Richard Litchfield
    Airheads MVP 2020, 2021
    ------------------------------



  • 8.  RE: ArubaOS-CX as an NTP Time Server

    Posted 19 days ago
    Hello Richard, OK that's reasonable. Thanks! Given the unfortunate event you witnessed, the above note looks more understandable (I've to admit that I asked because my plan was to assign the VSX the time-source role as the third NTP Server, just in case...having two Linux VMs running as primary and secondary NTP Servers...but, you know, I recognize that there is always a lot reasoning behind the scenes and every scenario has its points-of-failure).

    ------------------------------
    Davide Poletto
    ------------------------------