How to set up NTP server and configure NTP or SNTP on switches

  1. We install the NTP server on the Linux server. IP of our server is 208.x.x.x (same as Syslog server)It can be installed/updated on CentOS using yum

    # yum install ntp
    # service ntpd start
    # chkconfig ntpd on

    ( If NTP server is a Virtuozzo VPS the proper module needs to be added to the VPS on hypervisor

    # vzctl set CTID –capability sys_time:on –save )

    These are some basic commands:

    # ntpq -p
    # ntpq -c as
    # ntpq -c pe
    # ntpq

     

  2. Edit /etc/ntp.conf and add the following to it in order to limit the interface/IP that the NTP server is listening on.

    interface all ignore
    interface listen venet0:0     

  3. In order to limit the access to NTP server to internal servers we add the following rules to firewall

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  —  anywhere             anywhere
    ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     udp  —  208.x.x.0/22       anywhere            multiport dports ntp,syslog
    ACCEPT     udp  —  208..x.x.0/22        anywhere            multiport dports ntp,syslog
    ACCEPT     udp  —  199.x.x.0/21      anywhere            multiport dports ntp,syslog
    ACCEPT     udp  —  10.x.x.0/16         anywhere            udp dpt:ntp
    DROP       udp  —  anywhere             anywhere            multiport dports ntp,syslog     

  4. We configure NTP/SNTP on switches.We also set the time zone and daylight saving time.HP ProCurve 2848 switches only support SNTP.

    # show time
    # show sntp

    ( and in config mode)

    # time timezone -300  (GMT-300 minutes)
    # time daylight-time-rule Continental-US-and-Canada
    # sntp server 208.x.x.x  7  (version is 7)
    # timesync sntp
    # sntp unicast
    # sntp 300  (Sync with NTP server every 300 sec.)

    For Brocade FCX648 (Core switches) SNTP is deprecated and NTP has to be configured. The commands are as follows:

    # show clock (detail)
    # show ntp status
    # show ntp associations

    (In config mode)

    # ntp
    # disable serve (To make sure that is not acting as NTP server and it is only client)
    # server 208.x.x.x minpoll 9 maxpoll 12 burst (min. polling interval is 2^9)
    # clock timezone us eastern
    # clock summer-time

    For Dell Switches we have

    # show sntp status
    # show clock
    (In config mode)
    # sntp unicast client enable
    # sntp server 208.x.x.x
    # clock summer-time recurring USA
    # clock timezone -5 minutes 0 zone “EST”

     

  5. In order for the PDUs (Drac VLAN subnet 10.10.0.0/16) to have access to NTP server, a permanent route has been added to the NTP server so that the packets are routed to VPN server (10.10.0.1). In this case since NTP server is a host-routed VPS the route must be added to the hypervisor. See this KB: How to add a static route to a host-routed Linux VPS
    An easier way is to add an interface in Drac VLAN to NTP server. Since NTP server is a host routed container an interface also needs to be added to VZ server.