[Day #26 Pyats Series] NTP synchronization check (cross-vendor) using pyATS for Cisco [Python for Network Engineer]

• Trainer Sagar Dhawan
• Posted on September 6, 2025
• No Comments

[Day #26 Pyats Series] NTP synchronization check (cross-vendor) using pyATS for Cisco [Python for Network Engineer]

Introduction on the Key Points

In today’s fast-paced and globally distributed enterprise networks, accurate timekeeping is non-negotiable. A few milliseconds of drift between devices can lead to log mismatches, troubleshooting nightmares, and even compliance issues. This is where NTP (Network Time Protocol) synchronization plays a critical role.

In this blog, part of the “101 Days of pyATS (Vendor-Agnostic)” series, we’ll cover how to automate NTP status checks across Cisco and multi-vendor platforms using pyATS—a powerful testing framework designed for network engineers.

This article focuses on:

• Writing an NTP sync check script using Python for Network Engineer
• Verifying cross-vendor NTP status in Cisco IOS, NX-OS, Arista EOS, and even FortiGate/Juniper (optional)
• Post-validation and reporting
• Using pyATS Genie parsers and simple logic to detect unsynchronized nodes

By the end of this article, you’ll have a reusable cross-vendor validation script to ensure NTP health across your entire infra.

---

Topology Overview

Here’s a sample topology we’re working with:

All devices are configured to point to the same NTP Server, and we’ll use pyATS to verify:

• NTP is configured
• Device is synchronized
• Peer is correct (matches 10.10.10.1)
• NTP status is “synchronized”

---

Topology & Communications

Let’s define the communication goals:

• pyATS connects via SSH using testbed.yaml
• CLI command issued:
  • Cisco IOS: show ntp status, show ntp associations
  • NX-OS: show ntp peer-status, show ntp associations
  • Arista EOS: show ntp status
• Normalize the result and report:
  • Synchronized:
  • Not synchronized:
  • Incorrect peer or no NTP:

We’ll be parsing and comparing outputs using pyATS Genie libraries.

---

Workflow Script

Here’s the full working pyATS job script for NTP synchronization validation.

#!/usr/bin/env python3

from genie.testbed import load
from rich import print
from datetime import datetime

def check_ntp_status(device):
    print(f"[bold cyan] Checking NTP status on {device.name}[/bold cyan]")

    try:
        device.connect(log_stdout=False)
        output = device.parse("show ntp status")

        if "clock is synchronized" in output["clock_state"].lower():
            print(f"

[green] {device.name} is synchronized[/green]

") return { "device": device.name, "status": "Synchronized", "peer": output.get("peer", "N/A"), "stratum": output.get("stratum", "N/A") } else: print(f"

[red] {device.name} is NOT synchronized[/red]

") return { "device": device.name, "status": "Not Synchronized", "peer": output.get("peer", "N/A"), "stratum": output.get("stratum", "N/A") } except Exception as e: print(f"

[yellow] Error checking NTP on {device.name}: {e}[/yellow]

") return { "device": device.name, "status": "Error", "peer": "N/A", "stratum": "N/A" } def main(): testbed = load("testbed.yml") report = [] for dev_name in testbed.devices: device = testbed.devices[dev_name] ntp_status = check_ntp_status(device) report.append(ntp_status) print("\n[bold underline] Final NTP Sync Report:[/bold underline]") for entry in report: print(entry) if __name__ == "__main__": print(f"[bold blue] pyATS NTP Sync Validator - {datetime.now()}[/bold blue]") main()

---

Explanation by Line

Code	Explanation
from genie.testbed import load	Loads multi-vendor device details
device.parse("show ntp status")	Uses pyATS Genie parser to get structured NTP output
clock_state key	Determines if NTP is synchronized or not
peer, stratum	Used to verify source and clock level
testbed.devices[dev_name]	Loops through all devices defined in testbed.yml

You can expand this script to include show ntp associations, or handle vendors like FortiGate (using .execute() + regex if Genie parser is unavailable).

---

testbed.yml Example

devices:
  R1:
    os: iosxe
    type: router
    connections:
      cli:
        protocol: ssh
        ip: 192.168.1.1
        port: 22
  SW1:
    os: nxos
    type: switch
    connections:
      cli:
        protocol: ssh
        ip: 192.168.1.2
  AR1:
    os: eos
    type: switch
    connections:
      cli:
        protocol: ssh
        ip: 192.168.1.3

---

Post-validation CLI Screenshots (Expected Output)

These are real sample outputs we expect from pyATS Genie parsers.

Cisco IOS – show ntp status:

Clock is synchronized, stratum 2, reference is 10.10.10.1

NX-OS – show ntp status:

Clock is synchronized, stratum 2, reference is 10.10.10.1

Arista EOS – show ntp status:

tNTP is synchronized, stratum 3
Reference: 10.10.10.1

pyATS will extract these details via structured data for automated comparison.

---

FAQs

1: What is NTP and why is time synchronization important in a network?

Network Time Protocol (NTP) is used to synchronize the clocks of network devices to a common time source. Accurate timekeeping is crucial for:

• Log correlation across devices (forensics and troubleshooting)
• Certificate validation and cryptography
• Scheduled tasks and backups
• Network event ordering (especially in multi-vendor environments)

Without synchronized time, diagnosing issues across platforms like Cisco, Arista, Palo Alto, or Fortinet becomes chaotic.

---

2: How does pyATS help validate NTP synchronization across devices?

pyATS allows automated extraction and comparison of NTP sync states from multiple devices using parsers and test cases. With a single script:

• You can gather NTP status from Cisco (via show ntp status) and other vendor-specific equivalents.
• Normalize outputs into a structured format.
• Define logic to check for NTP reachability, sync status, and drift thresholds.
• Generate a consolidated report across vendors.

This makes NTP validation scalable, repeatable, and vendor-agnostic.

---

3: What are the CLI commands used for checking NTP status on major vendors like Cisco, Arista, and Palo Alto?

Here are some commonly used CLI commands per vendor:

• Cisco IOS/XE/XR:
  show ntp status
show ntp associations
• Arista EOS:
  show ntp status
show ntp associations
• Palo Alto Networks:
  show ntp
show ntp statistics
• Fortinet (FortiGate):
  diagnose sys ntp status
get sys status | grep NTP

Using pyATS, you can capture outputs using genie parse or device.execute() then extract relevant details.

---

4: What are common symptoms of NTP desynchronization in enterprise networks?

Some typical indicators include:

• Logs from different devices showing inconsistent timestamps.
• Authentication failures due to certificate time mismatch.
• SNMP, syslog, and NetFlow showing irregular time sequences.
• Troubleshooting delays due to inaccurate event correlation.
• Alerts from monitoring tools about time drift.

Running NTP checks regularly using pyATS helps prevent these issues before they impact production.

---

5: How can we ensure cross-vendor NTP consistency using pyATS?

Use pyATS to:

1. Connect to devices from different vendors.
2. Fetch NTP sync status and peer state.
3. Normalize the time offset or drift into a common schema.
4. Compare device clock values with the NTP server time.
5. Define a drift threshold (e.g., < 100 ms) for pass/fail status.
6. Log and report mismatches in JSON or HTML format.

This approach allows uniform validation across all platforms regardless of CLI syntax differences.

---

6: What challenges do engineers face when checking NTP manually across vendors?

Manual challenges include:

• Different CLI syntaxes and output formats.
• Time-consuming login and data collection per device.
• Human errors in interpreting NTP status.
• Lack of centralized reporting.
• Inefficient scaling for large multi-vendor networks.

pyATS solves this by providing centralized automation with structured output and easy reusability.

---

7: Can pyATS also validate if a device’s system clock is significantly drifting despite NTP being configured?

Yes. By:

• Capturing both the NTP sync state and offset/delay values.
• Comparing system clock time (show clock) with authoritative NTP server.
• Setting acceptable drift thresholds (e.g., ±50ms).
• Creating pass/fail testcases in pyATS based on these conditions.

This allows proactive drift detection even if a device claims to be “synchronized”.

---

8: How frequently should NTP sync checks be scheduled in production using pyATS or CI/CD pipelines?

For high-reliability environments:

• Daily or hourly checks via scheduled pyATS runs are recommended.
• Integrate with CI/CD tools (e.g., Jenkins, GitLab CI) or cron jobs.
• Combine with syslog/NMS alerts for time drift anomalies.
• For security-sensitive or financial environments, more frequent (15-30 mins) checks may be required.

Regular checks ensure early detection of sync issues or misbehaving time sources.

---

YouTube Link

Watch the Complete Python for Network Engineer: NTP synchronization check (cross-vendor) using pyATS for Cisco [Python for Network Engineer] Lab Demo & Explanation on our channel:

---

Join Our Training

Are you ready to master Python for Network Engineer roles across multi-vendor environments?

Trainer Sagar Dhawan, with 14+ years of deep industry experience, is currently leading a 3-month instructor-led training program that blends:

• Python
• Ansible
• Cisco DevNet
• API Testing
• pyATS + Genie
• Real-time projects on EVE-NG

Check Course Details & Enroll Now:
https://course.networkjourney.com/python-ansible-api-cisco-devnet-for-network-engineers/

Don’t miss your chance to upgrade from CLI to Automation using real production topologies with vendor-agnostic tools like pyATS.

Join the next batch and become a Certified Network Automation Engineer!
Because mastering Python for Network Engineer roles is no longer optional—it’s essential.

Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088

---