Network Time Protocol
Syslog, SNMP traps, and console messages can all be appended with a time stamp. Since time is relative, the time stamp is useless if all devices do not have a common understanding of time (unless you are comparing logs from the same device). Events on networks often occur within milliseconds, and the ability to correlate logs enables patterns of behavior to be identified quickly, resulting in reduced downtime.
For the above purpose it is most important that all relevant devices are synchronized.
When the Network Time Protocol (NTP) (RFC 1305) is deployed on a network, routers will be extremely accurate and event logs from various sources can be correlated.
All NTP communication uses UTC (Coordinated Universal Time), which is the same as GMT (Greenwich Mean Time). Devices can then set an offset for the time zone in which they are located. Most vendor equipment can display time in either UTC or a local time zone.
The number of NTP hops between a device and an authoritative time source is measured in units called stratum. A Stratum 1 device has a radio or atomic clock directly attached, and a Stratum 2 device has an NTP association with a Stratum 1 source, and so on, up to Stratum 9. Typically an Internet source can be used as a Stratum 1 source. See www.time.gov to find the domain names of appropriate devices.
Building a hierarchy internally using NTP is achieved by configuring one or a few devices to synchronize with an Internet-based NTP server, and then getting other internal devices to synchronize with it. This can be duplicated on the location level, gateway, and so forth, so that if the network gets isolated, devices with connectivity can stay synchronized.
In addition, Syslog, SNMP management station, and so forth, can be deployed as part of the NTP hierarchy. These devices can also be used as a timing source.
|<mp3>http://podcast.hill-vt.com/podsnacks/2007q3/ntp.mp3%7Cdownload</mp3> | Network Time Protocol (NTP)|