I m facing very strange issue with NTP, My core switches are 4506 and they are synchronizing with AD for time, though i have not specified any command to sync with AD.There is no NTP command in switch i have manually set the time purposely 1 hr behind the clock after 10 to 15 min it picks up the correct time from AD.
I don't know why???? it is very strange for me.
Can you perhaps post your configuration? As far as I know, Catalyst switches do not synchronize their time until explicitly configured to. Also please post the output of the show ntp associations and show ntp status commands. Thanks!
Seems strange, but we cannot exclude some interaction based on AD NTP broadcasts, causing the switch to adopt time.
Perhaps an ACL could help in avoiding the undesired synchronization.
Here is the output.
CS02#SHOW NTP ASSOC
address ref clock st when poll reach delay offset disp
*~127.127.7.1 127.127.7.1 2 42 64 377 0.0 0.00 0.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
CS02#SHOW NTP STATUS
Clock is synchronized, stratum 3, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
reference time is D09C52AC.37091E20 (08:01:48.214 GST Sun Nov 28 2010)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
There is definitely some explicit NTP configuration on your device. This output declares that the switch is configured as an NTP server and is providing NTP services to the network.
Can you post the entire configuration of the device (without, of course, sensitive data)?
Absolutely agree - that's why I requested the configuration of the switch. But I assume that even for listening for AD time broadcasts, the switch would have to be configured explicitly, for example using the ntp broadcast client or ntp multicast client interface configuration command. I have not yet seen (though I am not sying that it is impossible) a switch without any explicit NTP configuration to "suddenly" synchronize its clock.
I haven't seen the configuration of the device yet. I do not have any basis to suppose that this is an IOS bug or a case that "deserves" the attention of a TAC specialist. I will wait for the OP to post the configuration and then we'll see.
There is no NTP command in switch
May be it's my view, but in 18 years of working with Cisco products, I have seen so many bugs, that 1, 10 or 100 more do not surprise me a bit.
Sure, I am not excluding the possibility of a bug per se. I am just trying to explore other possibilities before concluding that this is an errant behavior. I have also seen lots of bugs - surely not as many as you as you are working in the networking field considerably longer than me - and it would not surprise me neither, but I do not have enough reliable information to make any conclusion. If I stated that this is a bug basing on the scarce information available in this thread so far, I would be jumping to conclusions which is something I'd rather not do. Currently, I am not stating anything - I am just asking the OP to provide more information.
I find the OP's comment about "no NTP command present on the switch" somewhat suspicious and I'd like to verify that for myself (after all, the TAC person would do just the same). Note that the show ntp assoc produced an output that suggests that the switch is configured as NTP server (not default) with the stratum 3 (not default).
I wouldn't configure Cisco appliance as an authoritative NTP server.
Otherwise, use a dedicated NTP server that synchronizes itself using GPS.
The IOS for swtich is System image file is "bootflash:cat4500e-entservices-mz.122-53.SG1.bin. After specifying the NTP commands on core,and treating core as a local time source still after 10 to 15 min it syn with AD time.
In switch there are no commands specifying AD as NTP source.
Here are the configs
Current configuration : 22451 bytes
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service counters max age 10
logging buffered 8192
no aaa new-model
clock timezone GST 4
hw-module module 1 port-group 1 select gigabitethernet
hw-module module 1 port-group 2 select gigabitethernet
ip domain-name XX
ip name-server 10.XX
ip name-server 10.XX
ip vrf mgmtVrf
power redundancy-mode redundant
spanning-tree mode mst
spanning-tree extend system-id
spanning-tree mst configuration
instance 1 vlan 1-8, 13, 20-25, 30-38
instance 2 vlan 9-12, 14-19, 26-29, 39-49
spanning-tree mst 1 priority 28672
spanning-tree mst 2 priority 24576
vlan internal allocation policy ascending
ip route 0.0.0.0 0.0.0.0 10.XXXXX
no ip http server
logging trap notifications
logging source-interface Vlan6
snmp-server community XXX
snmp-server trap-source Vlan6
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps ether-oam
snmp-server enable traps flash insertion removal
snmp-server enable traps power-ethernet police
snmp-server enable traps cpu threshold
snmp-server enable traps rep
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps entity-diag boot-up-fail hm-test-recover hm-thresh-reached scheduled-test-fail
snmp-server enable traps port-security
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps ethernet cfm alarm
snmp-server enable traps ethernet evc status create delete
snmp-server enable traps energywise
snmp-server enable traps rtr
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps isis
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps rf
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps vlan-membership
snmp-server enable traps mac-notification change move threshold
snmp-server host 10.XXX
line con 0
line vty 0 4
line vty 5 15
ntp source Vlan6
ntp master 3
Find the equipment that has ntp peer 127.127.7.1
No, that is not correct. This IP address is from the loopback IP address space 127.0.0.0/8. This merely means that the device is using its own internal clock as a synchronizing source.
I have to find out whether having a switch configured as an NTP server somehow also makes it to sync its time via AD.