在Nexus上將網路時間協定配置為伺服器和客戶端
簡介
本文檔介紹如何對Nexus 9000平台進行簡單配置和驗證,使之同時充當網路時間協定(NTP)伺服器和客戶端。
必要條件
需求
思科建議您瞭解以下主題:
- Nexus NX-OS軟體。
- 網路時間協定(NTP)。
採用元件
本文檔中的資訊基於帶NXOS版本10.2(5)的Cisco Nexus 9000。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
設定
NTP是一種網路協定,用於同步從網路裝置接收系統日誌和其他特定時間事件時網路內一組裝置的時間,以關聯事件。
網路圖表
組態
步驟 1.啟用NTP。
feature ntp
步驟 2.將時鐘協定設定為NTP。
clock protocol ntp步驟 3.將Nexus定義為NTP客戶端和伺服器。
警告:即使資料包在伺服器與客戶端之間進行交換,此協定仍可能需要幾分鐘才能同步。
注意:NTP採用層的概念來指示電腦與權威時間源之間的距離(以NTP跳為單位)。使用「ntp master <stratum>」命令在Nexus上啟用NTP伺服器時,可以配置此值。
N9K-1# show running-config ntp
ntp source 10.0.0.1
ntp master 1
N9K-2# show running-config ntp
ntp server 10.0.0.1 use-vrf default
ntp source 10.0.0.2
ntp master 8
N9K-3# show running-config ntp
ntp server 172.16.0.1 use-vrf default
ntp source 172.16.0.2
驗證
注意:出於驗證目的,驗證僅專注於N9K-2,因為它同時運行NTP伺服器和客戶端角色。
1. 確認時鐘配置了NTP協定。
N9K-2# show clock
12:32:51.528 UTC Thu Sep 28 2023
Time source is NTP <<<<<2. 確認NTP伺服器和Nexus IP已列出。
注意: IP地址為127.127.1.0的條目是一個本地IP,指示Nexus已與自身同步,代表作為NTP伺服器角色一部分的本地生成的參考時鐘源。
N9K-2# show ntp peers
--------------------------------------------------
Peer IP Address Serv/Peer
--------------------------------------------------
10.0.0.1 Server (configured)
127.127.1.0 Server (configured) <<<3. 確認已選取要同步的NTP伺服器。
注意:第16層表示伺服器目前並未與可靠的時間來源同步,且永遠不會選取伺服器進行同步。從Cisco NX-OS版本10.1(1)開始,只有13或更低層級可以同步。
N9K-2# show ntp peer-status
Total peers : 2
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote local st poll reach delay vrf
-----------------------------------------------------------------------------------------------------------------------
=127.127.1.0 10.0.0.2 8 16 0 0.00000
*10.0.0.1 10.0.0.2 2 32 377 0.00107default <<< server selected for sync (*)
4. 驗證NTP資料包是否已接收並傳送到伺服器。
注意:命令「show ntp statistics peer ipaddr <ntp-server>」僅適用於NTP客戶端。如果計數器上有非預設值,可以使用命令「clear ntp statistics all-peers」將其清除。
N9K-2# show ntp statistics peer ipaddr 10.0.0.1
remote host: 10.0.0.1
local interface: 10.0.0.2
time last received: 28s
time until next send: 5s
reachability change: 876s
packets sent: 58 <<<<<
packets received: 58 <<<<<
bad authentication: 0
bogus origin: 0
duplicate: 0
bad dispersion: 0
bad reference time: 0
candidate order: 6雙向NTP資料包流的資料包捕獲示例:
N9K-2# ethanalyzer local interface inband display-filter ntp limit-captured-frames 0
Capturing on 'ps-inb'
4 2024-01-01 03:23:47.900233043 172.16.0.2 → 172.16.0.1 NTP 90 NTP Version 4, client
2 5 2024-01-01 03:23:47.900863464 172.16.0.1 → 172.16.0.2 NTP 90 NTP Version 4, server
6 2024-01-01 03:23:52.926382561 10.0.0.2 → 10.0.0.1 NTP 90 NTP Version 4, client
4 7 2024-01-01 03:23:52.927169592 10.0.0.1 → 10.0.0.2 NTP 90 NTP Version 4, server5. 搜尋從Nexus傳送到其NTP客戶端的資料包,以確認使用配置的NTP伺服器作為參考:
N9K-2# ethanalyzer local interface inband display-filter ntp limit-captured-frames 0 detail
Capturing on 'ps-inb'
...
<output omitted>
...
Frame 5: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface ps-inb, id 0
Interface id: 0 (ps-inb)
Interface name: ps-inb
Encapsulation type: Ethernet (1)
Arrival Time: Jan 1, 2024 03:24:35.900699824 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1704079475.900699824 seconds
[Time delta from previous captured frame: 0.000643680 seconds]
[Time delta from previous displayed frame: 0.000643680 seconds]
[Time since reference or first frame: 10.974237168 seconds]
Frame Number: 5
Frame Length: 90 bytes (720 bits)
Capture Length: 90 bytes (720 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:ntp]
Ethernet II, Src: d4:77:98:2b:4c:87, Dst: f8:0b:cb:e5:d9:fb
Destination: f8:0b:cb:e5:d9:fb
Address: f8:0b:cb:e5:d9:fb
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: d4:77:98:2b:4c:87
Address: d4:77:98:2b:4c:87
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.16.0.1, Dst: 172.16.0.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 76
Identification: 0xbd85 (48517)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17) <<<<< UDP protocol number
Header checksum: 0xa5f7 [validation disabled]
[Header checksum status: Unverified]
Source: 172.16.0.1 <<<<<
Destination: 172.16.0.2 <<<<< NTP Client
User Datagram Protocol, Src Port: 123, Dst Port: 123
Source Port: 123
Destination Port: 123
Length: 56
Checksum: 0x71d5 [unverified]
[Checksum Status: Unverified]
[Stream index: 1]
[Timestamps]
[Time since first frame: 0.000643680 seconds]
[Time since previous frame: 0.000643680 seconds]
Network Time Protocol (NTP Version 4, server)
Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server
00.. .... = Leap Indicator: no warning (0)
..10 0... = Version number: NTP Version 4 (4)
.... .100 = Mode: server (4)
Peer Clock Stratum: secondary reference (3)
Peer Polling Interval: 4 (16 seconds)
Peer Clock Precision: 0.000000 seconds
Root Delay: 0.001083 seconds
Root Dispersion: 0.013611 seconds
Reference ID: 10.0.0.1 <<<<< NTP server
Reference Timestamp: Jan 1, 2024 03:22:32.927228435 UTC
Origin Timestamp: Jan 1, 2024 03:24:35.896950020 UTC
Receive Timestamp: Jan 1, 2024 03:24:35.900271042 UTC
Transmit Timestamp: Jan 1, 2024 03:24:35.900397771 UTC6. 執行ELAM以驗證是否已將封包正確指派給主管(COPP)重新導向ACL的統計資料:
注意:NTP流量必須傳送到CPU,因此已設定sup_hit標誌。
N9K-2# debug platform internal tah elam
N9K-2(TAH-elam)# trigger init
Slot 1: param values: start asic 0, start slice 0, lu-a2d 1, in-select 6, out-select
N9K-2(TAH-elam-insel6)# reset
N9K-2(TAH-elam-insel6)# set outer ipv4 next-protocol 17 packet-len 76 src_ip 10.0.0.1 dst_ip 10.0.0.2
N9K-2(TAH-elam-insel6)# start
N9K-2(TAH-elam-insel6)# report
SUGARBOWL ELAM REPORT SUMMARY
slot - 1, asic - 0, slice - 0
============================
Incoming Interface: Eth1/48
Src Idx : 0xbd, Src BD : 4147
Outgoing Interface Info: dmod 0, dpid 0
Dst Idx : 0x5bf, Dst BD : 4147
Packet Type: IPv4
Dst MAC address: D4:77:98:2B:4C:87
Src MAC address: D4:77:98:2B:43:27
Sup hit: 1, Sup Idx: 2753 <<<<< packet punt identifier, use below CLI to resolve its meaning
Dst IPv4 address: 10.0.0.2
Src IPv4 address: 10.0.0.1
Ver = 4, DSCP = 0, Don't Fragment = 0
Proto = 17, TTL = 255, More Fragments = 0
Hdr len = 20, Pkt len = 76, Checksum = 0xae26
L4 Protocol : 17
UDP Dst Port : 123
UDP Src Port : 123
Drop Info:
----------
LUA:
LUB:
LUC:
LUD:
Final Drops:
vntag:
vntag_valid : 0
vntag_vir : 0
vntag_svif : 0
ELAM not triggered yet on slot - 1, asic - 0, slice - 1
N9K-2(TAH-elam-insel6)# show system internal access-list sup-redirect-stats | i 2753
2753 copp-system-p-acl-ntp 462 <<<<< correct ACL assigned相關資訊
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
28-Feb-2024 |
初始版本 |
意見