How to Configure Precision Time Protocol (ISA 3000)

The Precision Time Protocol (PTP) is a time-synchronization protocol developed to synchronize the clocks of various devices in a packet-based network. These device clocks are generally of varying precision and stability. The protocol is designed specifically for industrial, networked measurement and control systems, and is optimal for use in distributed systems because it requires minimal bandwidth and little processing overhead.

A PTP system is a distributed, networked system consisting of a combination of PTP and non-PTP devices. PTP devices include ordinary clocks, boundary clocks and transparent clocks. Non-PTP devices include network switches, routers and other infrastructure devices.

You can configure the threat defense device to be a transparent clock. The threat defense device does not synchronize its clock with the PTP clocks. The threat defense device will use the PTP default profile, as defined on the PTP clocks.

When you configure the PTP devices, you define a domain number for the devices that are meant to function together. Thus, you can configure multiple PTP domains, and then configure each non-PTP device to use the PTP clocks for one specific domain.

Before you begin

Determine the domain number configured on the PTP clocks that the device should use. This example assumes the PTP domain number is 10. Also, determine the interfaces through which the system can reach the PTP clocks in the domain.

Following are guidelines for configuring PTP:

  • This feature is only available on the Cisco ISA 3000 appliance.

  • Cisco PTP supports multicast PTP messages only.

  • PTP is available only for IPv4 networks, not for IPv6 networks.

  • PTP configuration is supported on physical Ethernet data interfaces, whether stand-alone or bridge group members. It is not supported on the management interface, subinterfaces, EtherChannels, Bridge Virtual Interfaces (BVI), or any other virtual interfaces.

  • PTP flows on VLAN subinterfaces are supported, assuming the appropriate PTP configuration is present on the parent interface.

  • You must ensure that PTP packets are allowed to flow through the device. PTP traffic is identified by UDP destination ports 319 and 320, and destination IP address 224.0.1.129, so any access control rule that allows this traffic should work.

  • In Routed firewall mode, you must enable Multicast routing for PTP multicast groups. In addition, if an interface on which you enable PTP is not in a bridge group, you must configure the interface to join the IGMP multicast group 224.0.1.129. If the physical interface is a bridge group member, you do not configure it to join the IGMP multicast group.

Procedure

Step 1

(Routed mode only.) Enable Multicast routing, and configure the IGMP group for the interfaces.

In Routed mode, you must enable Multicast routing. In addition, for stand-alone physical interfaces, that is, those that are not bridge group members, you must also configure the interface to join the 224.0.1.129 IGMP group. You cannot configure bridge group members to join an IGMP group, but PTP configuration on bridge group members will work without the IGMP join.

Perform this procedure for each device on which you will configure PTP.

Note

Write down the hardware names of each PTP-clock-facing interface on each device, for example, GigabitEthernet1/1.

  1. Choose Devices > Device Management, and edit the device.

  2. Click Routing.

  3. Choose Multicast Routing > IGMP.

  4. Check the Enable Multicast Routing check box.

  5. Click Join Group.

  6. Click Add, and in the Add IGMP Join Group Parameters dialog box, configure the following options and click OK.

    • Interface—Select the PTP-clock-facing stand-alone interface.

    • Join Group—Click + to add a new network object. Create a Host object with the address 224.0.1.129. When configuring additional interfaces, simply select this object. (See Creating Network Objects.)

    Repeat this step for each PTP-clock-facing stand-alone interface on the device.

  7. Click Save on the Routing page.

Step 2

Create the FlexConfig object to enable PTP globally and on the interface.

The following procedure assumes that the PTP-clock-facing interface is the same on every device you are configuring. If you have used different interfaces on different devices, you need to create separate objects for each distinct combination. For example, if you use GigabitEthernet1/1 on devices A and B, GigabitEthernet1/2 on devices C and D, and both GigabitEthernet1/1 and 1/2 on devices E and F, you need 3 separate FlexConfig objects, and subsequently, 3 separate FlexConfig policies (explained in the next step).

  1. Choose Objects > Object Management.

  2. Choose FlexConfig > FlexConfig Object from the table of contents.

  3. Click Add FlexConfig Object, configure the following properties, and click Save.

    • Name—The object name. For example, Enable_PTP.

    • Deployment—Select Everytime. You want this configuration to be sent in every deployment to ensure it remains configured.

    • Type—Keep the default, Append. The commands are sent to the device after the commands for directly-supported features. This ensures that any other changes you make to interface configuration are configured before these commands.

    • Object body—In the object body, type the commands needed to configure PTP globally and on each PTP-clock-facing interface. For example, the commands needed for the global configuration for PTP domain 10 and the interface configuration on GigabitEthernet1/1 are:

      
ptp mode e2etransparent
ptp domain 10
interface gigabitethernet1/1
 ptp enable

    The object body should look similar to the following:

Step 3

Create the FlexConfig policy and assign it to the devices.

If you created multiple FlexConfig objects for different combinations of PTP-clock-facing interfaces, you need to create separate FlexConfig policies for each object, and assign those policies to the correct devices based on the interfaces you need to configure. Repeat the following procedure for each group of devices.

  1. Choose Devices > FlexConfig.

  2. Either click New Policy, or if an existing FlexConfig policy should be assigned to (or is already assigned to) the target devices, simply edit that policy.

    When creating a new policy, assign the target devices to the policy in the dialog box where you name the policy.

  3. Select the PTP FlexConfig object in the User Defined folder in the table of contents and click > to add it to the policy.

    The object should be added to the Selected Appended FlexConfigs list.

  4. Click Save.

  5. If you have not yet assigned all the targeted devices to the policy, click the Policy Assignments link below Save and make the assignments now.

  6. Click Preview Config, and in the Preview dialog box, select one of the assigned devices.

    The system generates a preview of the configuration CLI that will be sent to the device. Verify that the commands generated from the PTP FlexConfig object look correct. These will be shown at the end of the preview. Note that you will also see commands generated from other changes you have made to managed features. For the PTP commands, you should see something similar to the following:

    
###Flex-config Appended CLI ###
ptp mode e2etransparent
ptp domain 10
interface gigabitethernet1/1
 ptp enable

Step 4

Deploy your changes.

Because you assigned a FlexConfig policy to the devices, you will always get a deployment warning, which is meant to caution you about the use of FlexConfig. Click Proceed to continue with the deployment.

After the deployment completes, you can check the deployment history and view the transcript for the deployment. This is especially valuable if the deployment fails. See Verify the Deployed Configuration.

Step 5

Verify the PTP configuration on each device.

From an SSH or Console session into each device, verify the PTP settings:


> show ptp clock
 PTP CLOCK INFO
  PTP Device Type: End to End Transparent Clock
  Operation mode: One Step
  Clock Identity: 34:62:88:FF:FE:1:73:81
  Clock Domain: 10
  Number of PTP ports: 4
> show ptp port
 PTP PORT DATASET: GigabitEthernet1/1
  Port identity: Clock Identity: 34:62:88:FF:FE:1:73:81
  Port identity: Port Number: 1
  PTP version: 2
  Port state: Enabled

 PTP PORT DATASET: GigabitEthernet1/2
  Port identity: Clock Identity: 34:62:88:FF:FE:1:73:81
  Port identity: Port Number: 2
  PTP version: 2
  Port state: Disabled

 PTP PORT DATASET: GigabitEthernet1/3
  Port identity: Clock Identity: 34:62:88:FF:FE:1:73:81
  Port identity: Port Number: 3
  PTP version: 2
  Port state: Disabled

 PTP PORT DATASET: GigabitEthernet1/4
  Port identity: Clock Identity: 34:62:88:FF:FE:1:73:81
  Port identity: Port Number: 4
  PTP version: 2
  Port state: Disabled