Detections
Analytics

1.3.2 Configuring Time Services

Information

This sequence describes configuring time services.AOS-CX supports both NTP client and NTP server functionalityNTP client can be configured manually or via DHCP option 42.

Network Time services are used to synchronize computer clocks across a network, ensuring accurate and consistent timekeeping for various applications and services. This synchronization is crucial for tasks like file system updates, network management, security, and distributed systems. Network Time Protocol (NTP) provides a reliable source of accurate time that can enable time synchronization between multiple devices dispersed across any network.

Solution

Note: In order for the NTP process to associate with a server, the switch time must be set to within 15 minutes of the NTP server time.

To set switch time:

switch(config)# clock datetime YYYY-MM-DD HH:MM:SS
switch(config)# clock timezone <timezone>
switch(config)#

NTP Client:

Configure an NTP time source:

switch(config)# ntp server <DNS-name or IP-address> <optional parameters>
switch(config)#

Note: Optional parameters:

burst NTP Association use burst mode
 iburst NTP Association use iburst mode
 key-id <4-17> NTP Key ID
 maxpoll <4-17> NTP maximum poll time to use configuration
 minpoll <4-17> NTP minimum poll time to use configuration
 prefer NTP Association preference configuration
 version <3-4> NTP Association version configuration

To allow NTP server being set via DHCP option 42:

switch(config)# ntp dhcp-enable
switch(config)#

To specify a VRF for NTP to listen on:

switch(config)# ntp vrf <vrf_name>

To enable NTP:

switch(config)# ntp enable

Example config of NTP client:

switch(config)# clock datetime 2025-06-30 14:22:00
switch(config)# clock timezone americas/los_angeles
switch(config)# ntp server 10.10.10.10 iburst minpoll 10 maxpoll 14 prefer
switch(config)# ntp server 20.20.20.20
switch(config)# ntp vrf mgmt
switch(config)# ntp enable

NTP Conductor:

Note:

 - NTP clients and conductor must be enabled together. Configure NTP client first.
 - NTP conductor MUST be enabled on a vrf other than the vrf of NTP client.

Configure an NTP Conductor:

switch(config)# ntp conductor stratum <1-15> vrf <vrf_name>
switch(config)#

Example config of and NTP conductor:

switch(config)# clock datetime 2025-06-30 14:22:00
switch(config)# clock timezone americas/los_angeles
switch(config)# ntp server 10.10.10.10 iburst minpoll 10 maxpoll 14 prefer
switch(config)# ntp vrf mgmt
switch(config)# ntp conductor stratum 4 vrf default
switch(config)# ntp enable

Impact:

Inaccurate timekeeping between network devices can lead to many undesirable results including:

 - inability to correlate events between devices, making debugging difficult.
 - failure of network authentication services, as many require time synchronization to operate.
 - time-based network attacks that exploit the time settings differences in network devices.
 - operational and security best practice is to configure more than 1 NTP server

See Also

https://workbench.cisecurity.org/benchmarks/24202

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-7, 800-53|AU-8, CSCv7|6.1

Plugin: ArubaOS

Control ID: f64b222eb17769d45fbbca9cb49da99c8cae3cb1df7e3edac6f24005c7af766f