System Clock and Time Protocols
The switch uses the system clock to time-stamp all events, logs, and system messages. Setting the system clock to Coordinated Universal Time (UTC) allows the switch to calculate and display the local time for administrative purposes based on the configured time zone. The system clock can be set manually, but the preferred method for synchronization uses Network Time Protocol (NTP). Any properly configured NTP servers on the switch override manually entered clock settings.
Use the following sections for the configuration of the system clock and NTP. For information on the Precision Time Protocol (PTP), see Timing Protocols.
Configuring the Time Zone
EOS uses a fundamental system clock based on UTC and you cannot change the system clock UTC base. Instead, configure the time zone and EOS converts the UTC base time to the local time displayed in the Command Line Interface (CLI). Then, the system clock time stamps the logs with the local time.
To specify the time zone, use the clock timezone command.
Examples
- Use the following commands to configure the switch for the United States Pacific Time Zone:
switch(config)# clock timezone US/Pacific switch(config)# show clock Tue Nov 11 12:39:16 2025 Timezone: US/Pacific Clock source: NTP server (1.8.11.24) switch(config)# - To view the predefined time zone labels, enter clock timezone with a question mark:
switch(config)# clock timezone ? Africa/ Africa timezones America/ America timezones Antarctica/ Antarctica timezones Arctic/ Arctic timezones Asia/ Asia timezones Atlantic/ Atlantic timezones Australia/ Australia timezones Brazil/ Brazil timezones CET CET timezone CST6CDT CST6CDT timezone Canada/ Canada timezones Chile/ Chile timezones Cuba Cuba timezone EET EET timezone EST EST timezone EST5EDT EST5EDT timezone Egypt Egypt timezone Eire Eire timezone Etc/ Etc timezones Europe/ Europe timezones --More-- switch(config)#clock timezone - Use the following command to display all time zone labels that start with America.
switch(config)# clock timezone America/? America/Adak America/Anchorage America/Anguilla America/Antigua America/Araguaina America/Argentina/ America/Aruba America/Asuncion America/Atikokan America/Atka America/Bahia America/Bahia_Banderas America/Barbados America/Belem America/Belize America/Blanc-Sablon America/Boa_Vista America/Bogota America/Boise America/Buenos_Aires America/Cambridge_Bay --More-- switch(config)#clock timezone AMERICA - Use the following command to display all time zone labels that begin with Europe:
switch(config)# clock timezone Europe/? Europe/Amsterdam Europe/Andorra Europe/Astrakhan Europe/Athens Europe/Belfast Europe/Belgrade Europe/Berlin Europe/Bratislava Europe/Brussels Europe/Bucharest Europe/Budapest Europe/Busingen Europe/Chisinau Europe/Copenhagen Europe/Dublin Europe/Gibraltar Europe/Guernsey Europe/Helsinki Europe/Isle_of_Man Europe/Istanbul Europe/Jersey Europe/Kaliningrad Europe/Kiev Europe/Kirov Europe/Kyiv Europe/Lisbon Europe/Ljubljana Europe/London Europe/Luxembourg Europe/Madrid Europe/Malta Europe/Mariehamn Europe/Minsk Europe/Monaco Europe/Moscow Europe/Nicosia Europe/Oslo Europe/Paris Europe/Podgorica Europe/Prague Europe/Riga Europe/Rome Europe/Samara Europe/San_Marino Europe/Sarajevo Europe/Saratov Europe/Simferopol Europe/Skopje Europe/Sofia Europe/Stockholm Europe/Tallinn Europe/Tirane Europe/Tiraspol Europe/Ulyanovsk Europe/Uzhgorod Europe/Vaduz Europe/Vatican Europe/Vienna Europe/Vilnius Europe/Volgograd Europe/Warsaw Europe/Zagreb Europe/Zaporozhye Europe/Zuric
Setting the System Clock Manually
The clock set command manually configures the system clock time and date in local time. Manually enter anyproperly configured NTP servers on the switch to override the time.
Example
switch# clock set 08:15:24 14 Jan 2013
Mon Jan 14 08:15:25 2013
timezone is US/Central
Displaying the Time
Enter the show clock command to display the local time and configured time zone.
Example
switch(config)# show clock
Mon Jan 14 16:32:46 2013
timezone is America/Los_Angeles
Network Time Protocol (NTP) Overview
EOS enables Network Time Protocol (NTP) on the switch by default, and time settings from any properly configured NTP server override the manual setting of the system clock.
NTP servers synchronize time settings of systems running an NTP client. The switch supports NTP versions 1 through 4, and uses version 4 by default. After configuring the switch to synchronize with an NTP server, it may take up to ten minutes for the switch to set the clock. Select the configured running-config lists of the NTP servers that the switch uses.
Overview of Network Time Security (NTS)
Network Time Security (NTS) provides a cryptographic security mechanism for Network Time Protocol (NTP). NTS ensures that a client receives the accurate time from a verified source and the time has not altered in transit. This prevents attacks such as spoofing and Man-in-the-Middle (MITM).
NTS separates key establishment from time synchronization by using a TLS-based NTS Key Establishment (NTS-KE) protocol to negotiate symmetric keys and encrypted cookies. Subsequent NTS packets include the cookies to enable stateless authentication by the server. NTS-KE manages the initial connection, server authentication, and key exchange in the following process:
- Secure Connection - The client connects to the NTS-KE server using a TCP connection.
- Authentication and Key Exchange - The server and client perform a Transport Layer Security (TLS) handshake and the server proves its identity to the client, providing server authentication.
- Key Material and Cookies - During the TLS session, the server and client negotiate cryptographic parameters and exchange the necessary key material in the form of symmetric encryption keys. The server also sends opaque cookies with the per-client state necessary for the next phase.
- Close Connection -The TLS connection then closes since it only required the connection for initial setup.
EOS disables the feature by default. To enable it, a valid SSL profile must be provided when configuring NTP.
Configuring the NTP Server
The ntp server command adds a server to the list or modifies the parameters of a previously listed address. When the system contains multiple NTP servers, the prefer keyword can be used to specify a preferred NTP server and uses it as the NTP server.
Note that all NTP servers must be in the same VRF and added in the default VRF if you do notspecify a VRF.
NTP sets the system clock if enabled and if the switch has one properly configured NTP server. NTP overrides the manual setting of the system clock. EOS enables NTP by default. To disable NTP, select the no ntp command.
Example
Use the following commands to add three NTP servers and designate the second server as the preferred NTP server.
switch(config)# ntp server local-NTP
switch(config)# ntp server 172.16.0.23 Prefer
switch(config)# ntp server 172.16.0.25
Configuring the NTP Source
A local interface can be specified as the source in outgoing NTP packets using the ntp local-interface command to control the address to send NTP responses to the switch. The IP address of that interface uses the source address in all outgoing NTP packets unless the switch acts as an NTP server and a server-specific source configured using the source option of the ntp server command.
Example
switch(config)# ntp local-interface vlan 25
switch(config)#
Configuring the Switch as an NTP Server
To configure the switch to accept NTP requests on all interfaces, use the ntp serve all command to enable NTP server mode globally on the switch. To configure an individual interface to accept or deny NTP requests, use the ntp serve command. Interface level settings override the global settings, and changing the settings at either the global or interface level also causes the switch to re-synchronize with its upstream NTP server. Disable the NTP server mode by default.
Examples
- This command configures the switch to act as an NTP server, accepting NTP requests.
switch(config)# ntp serve all switch(config)# - These commands configure interface ethernet 5 to accept NTP requests regardless of global settings.
switch(config)# interface ethernet 5 switch(config-if-Et5)# ntp serve switch(config-if-Et5)#
Configuring NTP Authentication
The switch can be configured to accept NTP packets only from an authenticated server or client. Disable the NTP authentication by default.
To configure the switch to authenticate NTP packets, create one or more authentication keys using the ntp authentication-key command, and specify trusted keys by using the ntp trusted-key command. Use the ntp authenticate command to enable NTP authentication, and specify to use the trusted-key for a specific server. The NTP server must be configured to select the same authentication key and key ID number.
Note: Enable when NTP authentication on a switch. All NTP servers upstream of the switch and all NTP clients of the switch should have matching keys configured, and clients must have NTP authentication enabled.
Example
switch(config)# ntp authentication-key 328 md5 timeSync
switch(config)# ntp trusted key 328
switch(config)# ntp authenticate
switch(config)#Configuring Network Time Security (NTS)
EOS provides NTS as an optional feature for both client and server modes and disables it by default. To enable it, you must provide a valid SSL profile for the configuration. See insert link to Control Plane Security.
Configuring a Client Connection to an NTP Server
The ntp server command configures a persistent association with a remote server. When specifying an SSL profile with the configuration, the remote server must support NTS.
To specify the SSL profile, use the parameter, ssl profile profile_name and add the profile to the configuration. You must have a configured trust certificate configured for the profile.
Use the following commands to establish an SSL profile, nts_profile, with a certificate, CaCert, and using TLS version 1.3:
switch(config)# mangement security
switch(config-mgmt-security)# ssl profile nts_profile
switch(config-mgmt-sec-ssl-profile-nts_profile)# trust certificate CaCert
switch(config-mgmt-sec-ssl-profile-nts_profile)# tls versions 1.3
switch(config-mgmt-sec-ssl-profile-nts_profile)# ntp server mycompany.com ssl profile nts_profile
Configuring the Switch as an NTP Server
EOS enables an NTP server for all interfaces on the switch using the ntp serve all command, or for individual interfaces by applying the ntp serve command in the Interface Configuration Mode. For both types of server configuration, enable NTS using an SSL profile and applying the command, ntp serve ssl profile profile_name.
switch(config)# management security
switch(config-mgmt-security)# ssl profile nts_profile
switch(config-mgmt-sec-ssl-profile-nts_profile)# certificate serverCert key serverKey
switch(config-mgmt-sec-ssl-profile-nts_profile)# tls versions 1.3
switch(config)# ntp server mycompany.com
switch(config)# ntp serve all
switch(config)# ntp serve ssl profile nts_profileViewing NTP Settings and Status
To display the status of Network Time Protocol (NTP) on the switch, use the show ntp status command. To display the status of connections to NTP servers, use the show ntp associations command.
Note: In the output for show ntp associations, the reference ID identifies the time source of the NTP server as either the IPv4 address of the time source or, if that source has an IPv6 address, the first four octets of the MD5 hash of the IPv6 address. In EOS releases prior to 4.23.2, the show ntp
status command identified the system peer by its reference ID as described above. Still, in later releases, it shows the IPv4 address or IPv6 address.
Examples
- This command displays the status of the switch’s NTP connection.
switch# show ntp status synchronised to NTP server (192.168.78.62) at stratum 3 time correct to within 66 ms polling server every 1024 s switch # - This command displays data about the NTP servers in the configuration.
switch# show ntp associations remote refid st t when poll reach delay offset jitter ============================================================================== +l.ntp.arista.co 125.157.10.11 2 u 539 1024 377 121.748 -0.345 0.893 -3.ntp.arista.co 127.31.152.34 2 u 868 1024 377 101.671 2.434 1.529 +2.ntp.arista.co 176.131.12.185 2 u 676 1024 377 116.505 0.03 0.768 *4.ntp.arista.co 120.181.192.192 2 u 696 1024 377 48.431 -0.416 0.15 switch#
Displaying Network Time Security (NTS)
switch# show ntp status
synchronised to NTP server (10.0.1.2) at stratum 2
time correct to within 939 ms
polling server every 64 s
NTS client sends: 5
NTS client recvs good: 5
NTS client recvs w error: 0
NTS server sends: 0
NTS server recvs good: 0
NTS server recvs w error: 0
NTS-KE serves good: 0
NTS-KE serves bad: 0
NTS-KE client probes good: 1
NTS-KE client probes bad: 0
The output displays the following information about the NTS-KE configuration:
- NTS client sends - The number of client requests sent with NTS.
- NTS client recvs good - The number of valid responses with NTS received from servers.
- NTS client recvs w error - The number of invalid responses with NTS received from servers.
- NTS server sends - The number of responses with NTS sent by EOS as a server.
- NTS server recvs good - The number of valid client requests with NTS received by EOS as a server.
- NTS server recvs w error - The number of invalid client requests with NTS received by EOS as a server.
- NTS-KE serves good - The number of successful NTS-KE negotiations performed by the server.
- NTS-KE serves bad - The number of unsuccessful NTS-KE negotiations performed by the server.
- NTS-KE client probes good - The number of successful NTS-KE negotiations performed by the client.
- NTS-KE client probes bad - The number of unsuccessful NTS-KE negotiations performed by the client.
EOS re-attempts unsuccessful negotiations until successfully negotiating with the client or server. NTP synchronization only occurs after a successful NTS-KE negotiation. When operating correctly, the entries for NTS clients and servers increment consistently.