In the case of HSRP, a given device may have up to operational groups configured. In order to distribute the load on the device and network, the HSRP timers use a jitter.
Cisco IOS Software Releases 12.2 SX
For example, for a hold time set to 15 seconds, the actual hold time may take 18 seconds. Note See the information about the ingress keyword. Following an NSF with SSO switchover, traffic loss occurs on the links where the protocols are configured until the protocols converge. Other supported types of tunneling run in software on the MSFC3.
The PFC3 does not provide hardware acceleration for tunnels configured with the tunnel key command. The tunnel ttl command default sets the TTL of encapsulated packets. The tunnel tos command, if present, sets the ToS byte of a packet when it is encapsulated. If the tunnel tos command is not present and QoS is not enabled, the ToS byte of a packet sets the ToS byte of the packet when it is encapsulated.
To configure the tunnel tos and tunnel ttl commands, refer to this publication:. Hardware-assisted tunnels cannot share a source address even if the destination addresses are different.
Use secondary addresses on loopback interfaces or create multiple loopback interfaces. Failure to use unique source addresses may result in control plane failures when software path congestion occurs. For configuration information, refer to this publication:. For command reference information, refer to this publication:. See the ip proxy-arp command documentation. The bandwidth remaining percent command allows you to configure the remaining bandwidth for output queues.
The aggregate of all user-configured EIR bandwidth percentages cannot exceed percent. If the aggregate of all remaining bandwidth is less than percent, the remainder is evenly split among user queues including the default queue that do not have a remaining bandwidth percentage configured. The minimum EIR value of each output queue is 1.
This example shows how to use the bandwidth remaining percent command to distribute percentages of remaining bandwidth to various traffic classes in a policy map:. You do not need to configure multicast fast switching or multicast distributed fast switching MDFS ; multicast CEF switching is supported with Release Note Releases earlier than Release When configuring PBR, follow these guidelines and restrictions:. For information about SSHv1 client support, refer to the following publication:.
Note TDR can test cables up to a maximum length of meters. Note Because Release Static routes are also supported. Skip to content Skip to footer. Book Contents Book Contents. Find Matches in This Book. Updated: January 19, Chapter: Features. Feature Sets These sections describe the feature sets in Release This product bulletin explains the feature sets used in Release Strong encryption images are subject to U.
The country and class of end users eligible to receive and use Cisco encryption solutions are limited. When applicable, this section refers to those publications for platform-independent features supported in the Cisco IOS New Features in Release New Software Features in Release If the system controller reset threshold has been reached, reload the supervisor engine. New Hardware Features in Release Configuration of up to interfaces supported.
This feature has limited support based on the provided sample configuration. With the typical topology hub and spoke in a campus environment, where the wiring closets spokes are connected to the distribution switch hub forwarding all nonlocal traffic to the distribution layer, the wiring closet switch need not hold a complete routing table. Most stratum 1 and stratum 2 servers on the Internet adopt this form of network setup.
- Suggest Documents.
- Contact Cisco.
- samsung galaxy tab 3 10.1 p5210 kitkat.
- Tools and Related.
Use the ntp peer command to individually specify the time serving hosts that you want your networking device to consider synchronizing with and to set your networking device to operate in the symmetric active mode. The specific mode that you should set each of your networking devices to depends primarily on the role that you want them to assume as a timekeeping device server or client and its proximity to a stratum 1 timekeeping server.
A networking device engages in polling when it is operating as a client or a host in the client mode or when it is acting as a peer in the symmetric active mode. Although polling does not usually exact a toll on memory and CPU resources such as bandwidth, an exceedingly large number of ongoing and simultaneous polls on a system can seriously impact the performance of a system or slow the performance of a given network.
To avoid having an excessive number of ongoing polls on a network, you should limit the number of direct, peer-to-peer or client-to-server associations.
Instead, you should consider using NTP broadcasts to propagate time information within a localized network. Broadcast-based NTP associations should be used when time accuracy and reliability requirements are modest and if your network is localized and has more than 20 clients. Broadcast-based NTP associations are also recommended for use on networks that have limited bandwidth, system memory, or CPU resources. A networking device operating in the broadcast client mode does not engage in any polling.
Instead, it listens for NTP broadcast packets that are transmitted by broadcast time servers. Consequently, time accuracy can be marginally reduced because time information flows only one way. Use the ntp broadcast client command to set your networking device to listen for NTP broadcast packets propagated through a network. In order for broadcast client mode to work, the broadcast server and its clients must be located on the same subnet. The time server that is transmitting NTP broadcast packets will also have to be enabled on the interface of the given device using the ntp broadcast command.
The access list-based restriction scheme allows you to grant or deny certain access privileges to an entire network, a subnet within a network, or a host within a subnet. The access group options are scanned in the following order, from least restrictive to the most restrictive:. If the source IP address matches the access lists for more than one access type, the first type is granted access. If no access groups are specified, all access types are granted to all systems.
If any access groups are specified, only the specified access types will be granted access. The encrypted NTP authentication scheme should be used when a reliable form of access control is required. Unlike the access list-based restriction scheme that is based on IP addresses, the encrypted authentication scheme uses authentication keys and an authentication process to determine if NTP synchronization packets sent by designated peers or servers on a local network are deemed as trusted before the time information that they carry along with them is accepted.
The authentication process begins from the moment an NTP packet is created. Cryptographic checksum keys are generated using the message digest algorithm 5 MD5 and are embedded into the NTP synchronization packet that is sent to a receiving client. Once a packet is received by a client, its cryptographic checksum key is decrypted and checked against a list of trusted keys. If the packet contains a matching authentication key, the time-stamp information that is contained within it is accepted by the receiving client.
NTP synchronization packets that do not contain a matching authenticator key are ignored. It is important to note that the encryption and decryption processes used in NTP authentication can be very CPU-intensive and can seriously degrade the accuracy of the time that is propagated within a network. If your network setup permits a more comprehensive model of access control, you should consider the use of the access list-based form of control instead. After NTP authentication is properly configured, your networking device will synchronize with and provide synchronization only to trusted time sources.
NTP services are disabled on all interfaces by default. You can selectively prevent NTP packets from being received through a specific interface by using the ntp disable command in interface configuration mode. Use the ntp source interface command in global configuration mode if you want to configure a specific interface from which the IP source address will be taken.
This interface will be used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source keyword in the ntp peer or ntp server command. Use the ntp master [ stratum ] command in global configuration mode if you want the system to be an authoritative NTP server, even if the system is not synchronized to an outside time source. SNTP typically provides time within milliseconds of the accurate time, but it does not provide the complex filtering and statistical mechanisms of NTP.
In addition, SNTP does not authenticate traffic, although you can configure extended access lists to provide some protection. An SNTP client is more vulnerable to misbehaving servers than an NTP client and should be used only in situations where strong authentication is not required. When multiple sources are sending NTP packets, the server with the best stratum is selected. If multiple servers are at the same stratum, a configured server is preferred over a broadcast server. If multiple servers pass both tests, the first one to send a time packet is selected. SNTP will choose a new server only if it stops receiving packets from the currently selected server, or if a better server according to the criteria described is discovered.
Second, it can use the VINES time service to set the software clock if no other form of time service is available. Some routers contain a battery-powered hardware clock that tracks the date and time across system restarts and power outages. The hardware clock is always used to initialize the software clock when the system is restarted. If NTP is running, the hardware clock can be updated periodically from NTP, compensating for the inherent drift in the hardware clock. You can configure a hardware clock system calendar on any device to be periodically updated from the software clock.
This is advisable for any device using NTP, because the time and date on the software clock set using NTP will be more accurate than the hardware clock, because the time setting on the hardware clock has the potential to drift slightly over time. Use the ntp update-calendar command in global configuration mode if a routing device is synchronized to an outside time source via NTP and you want the hardware clock to be synchronized to NTP time.
Perform the following tasks to configure NTP service on your networking device. The NTP package contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. NTP versions 4. The vulnerability is due to an error in handling certain malformed messages. An unauthenticated, remote attacker could send a malicious NTP packet with a spoofed source IP address to a vulnerable host. The host that processes the packet sends a response packet back to the transmitter.
This action could start a loop of messages between the two hosts that could cause both the hosts to consume excessive CPU resources, use up the disk space writing messages to log files, and consume the network bandwidth. These could cause a DoS condition on the affected hosts. To display whether a device is configured with NTP, use the show running-config include ntp command. If the output returns any of the following commands, then that device is vulnerable to the attack:. There are no workarounds other than disabling NTP on the device. Only packets destined for any configured IP address on the device can exploit this vulnerability.
Transit traffic will not exploit this vulnerability. Configure the ntp allow mode private command to process NTP mode 7 packets. This command is disabled by default. You can specify the time-serving hosts that you want your networking device to consider synchronizing with and to set your networking device to operate in the client mode or in the symmetric active mode. The specific mode that you should set each of your networking devices to depends primarily on the role that you want it to assume as a timekeeping device server or client and its proximity to a stratum 1 timekeeping server.
Note that only one end of an association needs to be configured; the other system will automatically establish the association. The ntp clock-period command is automatically generated to display the constantly changing correction factor when the copy running-configuration startup-configuration command is entered to save the configuration to NVRAM. Do not attempt to manually use the ntp clock-period command. Ensure that you remove this command line when copying configuration files to other devices.
You can set your networking device to listen for NTP broadcast packets propagated through a network.
Table Of Contents
The time server that is transmitting NTP broadcast packets will also have to be enabled on the interface of the given device. The ntp clock-period command is automatically generated to reflect the constantly changing correction factor when the copy running-configuration startup-configuration command is entered to save the configuration to NVRAM.
Ensure that you remove this command line from the configuration when copying configuration files to other devices. To configure NTP authentication, perform the following task. However, certain Cisco devices allow you to connect to an external GPS-based time source device for the purposes of distributing a time signal to your network using NTP. The refclock reference clock drivers on these platforms provide the ability to receive an Request to Send RTS time-stamp signal on the auxiliary port of your routing device.
SNTP generally is supported on those platforms that do not provide support for NTP, such as the Cisco series, series, and series platforms. SNTP is disabled by default. To configure SNTP, perform the following task. If no other source of time is available, you can manually configure the current time and date after the system is restarted. The time will remain accurate until the next system restart. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the router can synchronize, you need not manually set the software clock.
Perform the following task to configure the time and date manually. Router config clock summer-time PST recurring 1 monday january 4 Tuesday december Configures summer time daylight saving time in areas where it starts and ends on a particular day of the week each year. Router config clock summer-time PST date 1 january 4 december Most Cisco devices have a separate hardware-based clock in addition to the software-based clock.
The hardware clock is a chip with a rechargeable backup battery that can retain the time and date information across reboots of the device. To maintain the most accurate time update from an authoritative time source on the network, the software clock should receive time updates from an authoritative time on the network.
Understanding Web-Based Authentication
The hardware clock should in turn be updated at regular intervals from the software clock while the system is running. The hardware clock system calendar maintains time separately from the software clock. The hardware clock continues to run when the system is restarted or when the power is turned off. Typically, the hardware clock needs to be manually set only once, when the system is installed.
You should avoid setting the hardware clock manually if you have access to a reliable external time source. Time synchronization should instead be established using NTP. Cisco IOS software allows implementation of features based on the time of day. The time-range global configuration command defines specific times of the day and week, which then can be referenced by a function, so that those time restrictions are imposed on the function itself. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect.
Prior to the introduction of this feature, access list statements were always in effect once they were applied. Both named and numbered access lists can reference a time range. Network administrators can control logging messages. Access list entries can log traffic at certain times of the day, but not constantly.
Therefore, administrators can simply deny access without the need to analyze the many logs generated during peak hours. Do one of the following:. Router config-time-range absolute start 30 January end 30 December This command displays the current hardware clock time. The following is sample output from this command:. This command displays the current software clock time.
This command displays the status of NTP associations. Router show ntp associations detail Router show ntp status Clock is unsynchronized, stratum 16, no reference clock nominal freq is Multicast client In the following example, a router with a hardware clock that has server associations with two other systems sends broadcast NTP packets, periodically updates the hardware clock, and redistributes time into VINES:. In the following example, a router with a hardware clock has no outside time source, so it uses the hardware clock as an authoritative time source and distributes the time via NTP broadcast packets:.
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies.
Cisco IOS Software Release (33)SXI, New Features and Hardware Support & Downloads - Cisco
Access to most tools on the Cisco Support and Documentation website requires a Cisco. The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. The following commands were introduced or modified: ntp access-group , ntp allow mode passive , ntp authenticate , ntp authentication-key , ntp broadcast, ntp broadcast client , ntp broadcastdelay , ntp clear drift , ntp clock-period , ntp disable , ntp logging , ntp master , ntp max-associations , ntp multicast , ntp multicast client , ntp server , ntp source , ntp trusted-key , ntp update-calendar.
The following commands were introduced or modified: sntp broadcast client , sntp server. A listing of Cisco's trademarks can be found at www. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. Any Internet Protocol IP addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only.
Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Skip to content Skip to footer. Book Contents Book Contents. Find Matches in This Book. PDF - Complete Book Updated: July 14, Chapter: Setting Time and Calendar Services.