Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
13075
Views
15
Helpful
5
Comments

TECHNOTE OF THE DAY - Date & Time Policy Configuration for the ACI Fabric

Tomas de Leon
Cisco Employee
Cisco Employee

‎02-12-2015 02:10 PM - edited ‎03-01-2019 06:03 AM

 

The following technote is written against Application Policy Infrastructure Controller
Version: 1.0(2m). The following information may not apply to earlier or later versions of Application Policy Infrastructure Controller firmware versions.


Table of Contents for this Technote on Date & Time Policy configuration for the ACI fabric.

Note: this is a text representation of the topics discussed in the attached document for Date & Time Policy configuration. Attached is a PDF file with the complete Technote information.

Chapter 1 - Introduction

Chapter 2 - Preparing the ACI Fabric for Date & Time Policy

 

  • Generate a Temporary Root Password to be used for this Lab
  • Check CURRENT Date and Time on Each Controller and Node Switches
  • Update and Save UPDATED Date and Time on Each Controller and Node Switches. Make sure to synchronize the Updated System Running Clock to the Hardware Clock.
  • Check Existing NTP Configuration Parameters on Each Controller and Node Switches


Chapter 3 - Configuring a Date & Time Policy using Network Time Protocol (NTP)
 

  • Create a Date and Time Policy using APIC Admin GUI
  • Add a NTP SERVER using Rest API
  • Add a NTP SERVER using APIC CLI


Chapter 4 - Verify Date & Time Policy using Network Time Protocol (NTP) is Applied and Operational on APICs and Switches

 


Chapter 5 - Additional information for Troubleshooting Date & Time Policy using Network Time Protocol (NTP) on APICs and Switches 



Document Teaser

Verify Date & Time Policy using Network Time Protocol (NTP) is Applied and Operational on APICs and Switches
Verify the configuration of NTP Services for Controllers and Leaf\Spine Switches in your ACI fabric. This section will provide references for CLI commands and tools that may be helpful in troubleshooting the configuration and application of the Date & Time policy for Controllers and Leaf\Spine Switches in your ACI fabric.

 

This section will:

  • Verify configuration of Date & Time Policy (NTP) on APIC Controllers.
  • Verify configuration of Date & Time Policy (NTP) on Leaf\Spine Node Switches.

Note: The examples given in this section of the Technote are not totally inclusive. These are just some examples that I have gathered while troubleshooting NTP Services for the ACI Fabric.

 

Task 1 Verify configuration of Date & Time Policy (NTP) on APIC Controllers

SSH to APIC Controllers and perform the following actions:
CLI Commands

  • cat /etc/ntp.conf
  • ntpstat
  • ntpq -pn
  • echo $?


Task 2 Verify configuration of Date & Time Policy (NTP) on Leaf\Spine Node Switches

SSH to LEAF\SPINE NODES and perform the following actions:
CLI Commands

  • show ntp peers
  • show ntp peer-status
  • show ntp statistics peer ipaddr 172.18.108.15
  • vsh -c "show ntp status”
  • vsh -c "show ntp statistics io"
  • vsh -c "show ntp statistics local"
  • show ntp internal log-buffer
  • show ntp internal event-history msgs
  • show ntp internal event-history config
  • (root) tcpdump -i eth0 -f port 123
  • cat /etc/timezone
  • cat /etc/timestamp



Additional information for Troubleshooting Date & Time Policy using Network Time Protocol (NTP) on APICs and Switches
Note: In regards to display questions with Date & Time. The TimeZone parameter alters the TimeZone configured and displayed on the CLI of the APIC. For example, when using the DATE command. A symbolic link is created for localtime to zoneinfo.

 

ie. localtime -> /usr/share/zoneinfo/America/New_York

 

The display format local\utc and Offset State configuration is for what is "displayed" for Current System Time on the status bar of the APIC GUI. This information is retrieved from the API using "topInfo". In versions 1.0(1x) and 1.0(2x), there is no adjustments in relation to Daylight savings. As a result, you may see a time differential of 1 hour from the actual time. In the next FCS release, Daylight Savings will be accounted for in the Offset State.

 

Check System Time on DEVICES
On APIC:

  • cat /mit/topology/pod-1/node-1/sys/summary | grep currentTime
  • cat /mit/topology/pod-1/node-2/sys/summary | grep currentTime
  • cat /mit/topology/pod-1/node-3/sys/summary | grep currentTime
  • cat /mit/topology/pod-1/node-101/sys/summary | grep currentTime
  • cat /mit/topology/pod-1/node-102/sys/summary | grep currentTime
  • cat /mit/topology/pod-1/node-103/sys/summary | grep currentTime
  • cat /mit/topology/pod-1/node-104/sys/summary | grep currentTime
  • cat /mit/topology/pod-1/node-201/sys/summary | grep currentTime
  • cat /mit/topology/pod-1/node-202/sys/summary | grep currentTime

 

Visore:

  • topInfo
  • datetimeANtpAuthKey (Client Authentication Key)
  • datetimeANtpProv (Datetime Providers)
  • datetimeAPol (Date and Time Policy)
  • datetimeClkPol (Date Time Policy)
  • datetimeConfIssues (Datetime Policy Configuration Issues)
  • datetimeFormat (Datetime Format)
  • datetimeNtpAuth (Authentication Key)
  • datetimeNtpAuthKey (Datetime Client Authentication Key)
  • datetimeNtpProv (Providers)
  • datetimeNtpProvider (NTP Server)
  • datetimeNtpProviderStatus (ProviderStatus)
  • datetimeNtpq (Ntp Concrete Details)
  • datetimePol (Date and Time Policy)
  • datetimeRsNtpProvToEpg (Relation to Reachability Epg)
  • datetimeRsNtpProvToEpp (Relation to Datetime Provider Reachability EPP)
  • datetimeRsNtpProvToNtpAuthKey (Relation to Datetime Authentication Key)
  • datetimeRsNtpProviderToNtpAuth (Ntp Authentication Attachment)
  • datetimeRtCtrlrDatetimeFormat (Relation Holder)
  • datetimeRtFormatPol (Relation Holder)
  • datetimeRtNtpProvToNtpAuthKey (Providers)
  • datetimeRtNtpProviderToNtpAuth (NTP Server)
  • datetimeRtResDatetimeFormat (Access Instance)
  • datetimeRtTimePol (POD Policy Group)
  • datetimeStatistics (Ntp Provider Statistics)

CLI:

  • moquery -c datetimeFormat (apic)
  • moquery -c topInfo (apic)
  • moquery -c datetimeNtpq (apic)
  • moquery -c datetimeConfIssues (leaf\spine)
  • acidiag avread
  • acidiag fnvreadex 



Sample of Information to Request from Customer to assess Date & Time Issues:

 

From an APIC Controller

  • version
  • acidiag verifyapic
  • date
  • date -u
  • cat /mit/topology/pod-1/node-1/sys/summary | grep currentTime
  • cat /mit/topology/pod-1/node-101/sys/summary | grep currentTime
  • cat /mit/topology/pod-1/node-201/sys/summary | grep currentTime
  • moquery -c topInfo
  • moquery -c datetimeFormat
  • moquery -c datetimeNtpq
  • cat /etc/ntp.conf
  • ntpstat
  • ntpq -pn
  • echo $?
  • acidiag avread
  • acidiag fnvreadex

 

From a Leaf node

  • date
  • date -u
  • show clock
  • show ntp peers
  • show ntp peer-status
  • acidiag avread
  • acidiag fnvreadex
  • cat /etc/timezone
  • cat /etc/timestamp

 

From a Spine node

  • date
  • date -u
  • show clock
  • show ntp peers
  • show ntp peer-status
  • acidiag avread
  • acidiag fnvreadex
  • cat /etc/timezone
  • cat /etc/timestamp



Attached: aci-buzzfeednews-datetime.pdf

Labels:
Preview file
2077 KB
Comments
fabian@zurich
Level 1
Level 1
‎02-13-2015 07:07 AM

Hi Tomas,

nice step-by-step instruction, BUT from where do I get the Phyton script for the root access?

http://git.insieme.local/cgi-bin/generateRootPassword.py
 

Looks like an internal link,

Thanx for help, Fabian

Tomas de Leon
Cisco Employee
Cisco Employee
‎02-13-2015 07:20 AM

Fabian,

Yes, "currently" root access requires a TAC Case since the Password generation tool is an internal resource.

There is an effort to get certain commands like the "hwclock" commands accessible via the "admin" user.  Then Root would not be needed.

I left the section showing this so that you and others can be aware that if you are having Fabric Discovery issues, you can look at your Date\Time status on the Leaf\Spine\APICs to identify a "possible" cause,

 

NTP should be used to try to avoid Date\Time Drifts but if NTP is not configured there is a necessity to sync system running clocks to hardware clocks.

 

Thank you for using the Cisco Support Community!

 

T.

 

 

michelvankessel
Level 5
Level 5
‎11-11-2015 12:44 AM

Hello Leon,

Is it possible to use the ACI devices as a NTP server for the rest of the network? let's say the spine switches. 

thanks

Michel van Kessel

Chella Chalapathi
Level 1
Level 1
‎01-31-2016 09:32 PM

Hi,

Even I have same requirement  to make ACI  as clock provider to rest of the network. Can any body help on this ,Is it possible configure Aci fabric to provide clock to other servers/devices on the network.

jucoutur
Cisco Employee
Cisco Employee
‎12-22-2017 11:01 PM

Hi,

 

ACI fabric providing NTP service will be available with ACI 3.1.

 

Thanks,

Julien

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents