verbose: Displays detailed information about all IPv6 NTP associations. If you do not specify this keyword, the command displays only brief information about the IPv6 NTP associations.

Examples

# Display brief information about all IPv6 NTP associations.

<Sysname> display ntp-service ipv6 sessions

Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured.

Source: [125]3000::32

Reference: 127.127.1.0 Clock stratum: 2

Reachabilities: 1 Poll interval: 64

Last receive time: 6 Offset: -0.0

Roundtrip delay: 0.0 Dispersion: 0.0

Total sessions: 1

Table 1 Command output

Field	Description
[12345]	· 1—Clock source selected by the system (the current reference source). It has a system clock stratum level less than or equal to 15. · 2—The stratum level of the clock source is less than or equal to 15. · 3—The clock source has survived the clock selection algorithm. · 4—The clock source is a candidate clock source. · 5—The clock source was created by a command.
Source	IPv6 address of the NTP server. If this field displays ::, the IPv6 address of the NTP server has not been resolved successfully.
Reference	Reference clock ID of the NTP server: · If the reference clock is the local clock, the value of this field is related to the value of the Clock stratum field: ¡ When the value of the Clock stratum field is 0 or 1, this field displays Local. ¡ When the Clock stratum field has another value, this field displays the MD5 digest value of the first 32 bits of the IPv6 address. The MD5 digest value is in dotted decimal format. · If the reference clock is the clock of another device on the network, this field displays the MD5 digest value of the first 32 bits of the IPv6 address. The MD5 digest value is in dotted decimal format. If this field displays INIT, the local device has not established a connection with the NTP server.
Clock stratum	Stratum level of the NTP server, which determines the clock accuracy. The value is in the range of 1 to 16. A lower stratum level represents higher clock accuracy. A stratum 16 clock is not synchronized and cannot be used as a reference clock.
Reachabilities	Reachability count of the NTP server. 0 indicates that the NTP server is unreachable.
Poll interval	Polling interval in seconds. It is the maximum interval between successive NTP messages.
Last receive time	Length of time from when the last NTP message was received or when the local clock was last updated to the current time. Time is in seconds by default. · If the time length is greater than 2048 seconds, it is displayed in minutes. · If the time length is greater than 300 minutes, it is displayed in hours. · If the time length is greater than 96 hours, it is displayed in days. · If the time length is greater than 999 days, it is displayed in years. If the time when the most recent NTP message was received or when the local clock was updated most recently is behind the current time, a hyphen (-) is displayed.
Offset	Offset of the system clock relative to the reference clock, in milliseconds.
Roundtrip delay	Roundtrip delay from the local device to the clock source, in milliseconds.
Dispersion	Maximum error of the system clock relative to the reference source.
Total sessions	Total number of associations.

# Display detailed information about all IPv6 NTP associations.

<Sysname> display ntp-service ipv6 sessions verbose

Clock source: 1::1

Session ID: 36144

Clock stratum: 16

Clock status: configured, insane, valid, unsynced

Reference clock ID: INIT

VPN instance: Not specified

Local mode: sym_active, local poll interval: 6

Peer mode: unspec, peer poll interval: 10

Offset: 0.0000ms, roundtrip delay: 0.0000ms, dispersion: 15937ms

Root roundtrip delay: 0.0000ms, root dispersion: 0.0000ms

Reachabilities:0, sync distance: 15.938

Precision: 2^10, version: 4, source interface: Not specified

Reftime: 00000000.00000000 Thu, Feb 7 2036 6:28:16.000

Orgtime: d17cbb21.0f318106 Tue, May 17 2011 9:15:13.059

Rcvtime: 00000000.00000000 Thu, Feb 7 2036 6:28:16.000

Xmttime: 00000000.00000000 Thu, Feb 7 2036 6:28:16.000

Roundtrip delay samples: 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000

Offset samples: 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

Filter order: 0 1 2 3 4 5 6 7

Total sessions: 1

Table 2 Command output

Field	Description
Clock source	IPv6 address of the clock source. If this field displays ::, the IPv6 address of the NTP server has not been resolved successfully.
Clock stratum	Stratum level of the NTP server, which determines the clock precision. The value is in the range of 1 to 16. A lower stratum level represents higher clock accuracy. A stratum 16 clock is not synchronized and cannot be used as a reference clock.
Clock status	Status of the clock source corresponding to this association: · configured—The association was created by a configuration command. · dynamic—The association is established dynamically. · master—The clock source is the primary reference source of the current system. · selected—The clock source has survived the clock selection algorithm. · candidate—The clock source is the candidate reference source. · sane—The clock source has passed authentication and will be used as a reference clock. · insane—The clock source has not passed authentication, or it has passed authentication but will not be used as a reference clock. · valid—The clock source is valid, which means the clock source meets the following requirements: ¡ It has been authenticated and synchronized. ¡ Its stratum level is valid. ¡ Its root delay and root dispersion values are within their ranges. · invalid—The clock source is invalid. · unsynced—The clock source has not been synchronized or the value of the stratum level is invalid.
Reference clock ID	· If the reference clock is the local clock, the value of this field is related to the value of the Clock stratum field: ¡ When the value of the Clock stratum field is 0 or 1, this field displays Local. ¡ When the Clock stratum field has another value, this field displays the MD5 digest value of the first 32 bits of the IPv6 address. The MD5 digest value is in dotted decimal format. · If the reference clock is the clock of another device on the network, this field displays the MD5 digest value of the first 32 bits of the IPv6 address. The MD5 digest value is in dotted decimal format. If this field displays INIT, the local device has not established a connection with the NTP server.
VPN instance	VPN instance of the NTP server. If the NTP server is in a public network, the field is displayed as Not specified.
Local mode	Operation mode of the local device: · unspec—The mode is unspecified. · sym_active—Active mode. · sym_passive—Passive mode. · client—Client mode. · server—Server mode. · broadcast—Broadcast or multicast server mode. · bclient—Broadcast or multicast client mode.
local poll interval	Polling interval for the local device, in seconds. The value displayed is a power of 2. For example, if the displayed value is 6, the poll interval of the local device is 2⁶, or 64 seconds.
peer mode	Operation mode of the peer device: · unspec—The mode is unspecified. · sym_active—Active mode. · sym_passive—Passive mode. · client—Client mode. · server—Server mode. · broadcast—Broadcast or multicast server mode. · bclient—Broadcast or multicast client mode.
peer poll interval	Polling interval for the peer device, in seconds. The value displayed is a power of 2. For example, if the displayed value is 6, the polling interval of the local device is 2⁶, or 64 seconds.
Offset	Offset of the system clock relative to the reference clock, in milliseconds.
roundtrip delay	Roundtrip delay from the local device to the clock source, in milliseconds.
dispersion	Maximum error of the system clock relative to the reference clock.
Root roundtrip delay	Roundtrip delay from the local device to the primary reference source, in milliseconds.
root dispersion	Maximum error of the system clock relative to the primary reference clock, in milliseconds.
Reachabilities	Reachability count of the clock source. 0 indicates that the clock source is unreachable.
sync distance	Synchronization distance relative to the upper-level clock, in seconds, and calculated from dispersion and roundtrip delay values.
Precision	Accuracy of the system clock.
version	NTP version in the range of 1 to 4.
source interface	Source interface. If the source interface is not specified, this field is Not specified.
Reftime	Reference timestamp in the NTP message.
Orgtime	Originate timestamp in the NTP message.
Rcvtime	Receive timestamp in the NTP message.
Xmttime	Transmit timestamp in the NTP message.
Filter order	Dispersion information.
Reference clock status	Status of the local clock. The field is displayed only when you use the ntp-service refclock-master command to set the local clock as a reference clock. When the reach field of the local clock is 255, the field is displayed as working normally. Otherwise, the field is displayed as working abnormally.
Total sessions	Total number of associations.

display ntp-service sessions

Use display ntp-service sessions to display information about all IPv4 NTP associations.

Syntax

display ntp-service sessions [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Displays detailed information about all IPv4 NTP associations. If you do not specify this keyword, the command displays only brief information about the NTP associations.

Usage guidelines

When a device is operating in NTP broadcast or multicast server mode, the display ntp-service sessions command does not display the IPv4 NTP association information corresponding to the broadcast or multicast server, but the associations are counted in the total number of associations.

Examples

# Display brief information about all IPv4 NTP associations.

<Sysname> display ntp-service sessions

source reference stra reach poll now offset delay disper

********************************************************************************

[12345]LOCAL(0) LOCL 0 1 64 - 0.0000 0.0000 7937.9

[5]0.0.0.0 INIT 16 0 64 - 0.0000 0.0000 0.0000

Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured.

Total sessions: 1

Table 3 Command output

Field	Description
source	· When the reference clock is the local clock, the field displays LOCAL (number), which indicates that the IP address of the local clock is 127.127.1.number, where number represents the NTP process number in the range of 0 to 3. · When the reference clock is the clock of another device, the field displays the IP address of the NTP server. If this field displays 0.0.0.0, the IP address of the NTP server has not been resolved successfully.
reference	Reference clock ID of the NTP server: · If the reference clock is the local clock, the value of this field is related to the value of the stra field: ¡ When the value of the stra field is 0 or 1, this field displays LOCL. ¡ When the stra field has another value, this field displays the IP address of the local clock. · If the reference clock is the clock of another device on the network, this field displays the IP address of the device. If the device supports IPv6, this field displays the MD5 digest of the first 32 bits of the IPv6 address of the device. If this field displays INIT, the local device has not established a connection with the NTP server.
stra	Stratum level of the clock source, which determines the clock accuracy. The value is in the range of 1 to 16. The clock accuracy decreases from stratum 1 to stratum 16. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized and cannot be used as a reference clock.
reach	Reachability count of the clock source. 0 indicates that the clock source is unreachable.
poll	Polling interval in seconds. It is the maximum interval between successive NTP messages.
now	Length of time from when the last NTP message was received or when the local clock was last updated to the current time. Time is in seconds by default. · If the time length is greater than 2048 seconds, it is displayed in minutes. · If the time length is greater than 300 minutes, it is displayed in hours. · If the time length is greater than 96 hours, it is displayed in days. · If the time length is greater than 999 days, it is displayed in years. If the time when the most recent NTP message was received or when the local clock was updated most recently is behind the current time, a hyphen (-) is displayed.
offset	Offset of the system clock relative to the reference clock, in milliseconds.
delay	Roundtrip delay from the local device to the NTP server, in milliseconds.
disper	Maximum error of the system clock relative to the reference source, in milliseconds.
[12345]	· 1—Clock source selected by the system (the current reference source). It has a system clock stratum level less than or equal to 15. · 2—The stratum level of the clock source is less than or equal to 15. · 3—The clock source has survived the clock selection algorithm. · 4—The clock source is a candidate clock source. · 5—The clock source was created by a configuration command.
Total sessions	Total number of associations.

# Display detailed information about all IPv4 NTP associations.

<Sysname> display ntp-service sessions verbose

Clock source: 192.168.1.40

Session ID: 35888

Clock stratum: 2

Clock status: configured, master, sane, valid

Reference clock ID: 127.127.1.0

VPN instance: Not specified

Local mode: client, local poll interval: 6

Peer mode: server, peer poll interval: 6

Offset: 0.2862ms, roundtrip delay: 3.2653ms, dispersion: 4.5166ms

Root roundtrip delay: 0.0000ms, root dispersion: 10.910ms

Reachabilities:31, sync distance: 0.0194

Precision: 2^18, version: 3, source interface: Not specified

Reftime: d17cbba5.1473de1e Tue, May 17 2011 9:17:25.079

Orgtime: 00000000.00000000 Thu, Feb 7 2036 6:28:16.000

Rcvtime: d17cbbc0.b1959a30 Tue, May 17 2011 9:17:52.693

Xmttime: d17cbbc0.b1959a30 Tue, May 17 2011 9:17:52.693

Roundtrip delay samples: 0.007 0.010 0.006 0.011 0.010 0.005 0.007 0.003

Offset samples: 5629.55 3913.76 5247.27 6526.92 31.99 148.72 38.27 0.29

Filter order: 7 5 2 6 0 4 1 3

Total sessions: 1

Table 4 Command output

Field	Description
Clock source	IP address of the NTP server. If this field displays 0.0.0.0, the IP address of the NTP server has not been resolved successfully.
Clock stratum	Stratum level of the NTP server, which determines the clock accuracy. The value is in the range of 1 to 16. A lower stratum level represents greater clock accuracy. A stratum 16 clock is not synchronized and cannot be used as a reference clock.
Clock status	Status of the clock source corresponding to this association: · configured—The association was created by a configuration command. · dynamic—The association is established dynamically. · master—The clock source is the primary reference source of the current system. · selected—The clock source has survived the clock selection algorithm. · candidate—The clock source is the candidate reference source. · sane—The clock source has passed authentication and will be used as a reference clock. · insane—The clock source has not passed authentication, or it has passed authentication but will not be used as a reference clock. · valid—The clock source is valid, which means the clock source meets the following requirements: ¡ It has been authenticated and synchronized. ¡ Its stratum level is valid. ¡ Its root delay and root dispersion values are within their ranges. · invalid—The clock source is invalid. · unsynced—The clock source has not been synchronized or the value of the stratum level is invalid.
Reference clock ID	Reference clock ID of the NTP server: · If the reference clock is the local clock, the value of this field is related to the value of the Clock stratum field: ¡ When the value of the Clock stratum field is 0 or 1, this field displays LOCL. ¡ When the Clock stratum field has another value, this field displays the IP address of the local clock. · If the reference clock is the clock of another device on the network, this field displays the IP address of the device. If the device supports IPv6, this field displays the MD5 digest of the first 32 bits of the IPv6 address of the device. If this field displays INIT, the local device has not established a connection with the NTP server.
VPN instance	VPN instance to which the NTP server belongs. If the NTP server is in a public network, the field displays Not specified.
Local mode	Operation mode of the local device: · unspec—The mode is unspecified. · active—Active mode. · passive—Passive mode. · client—Client mode. · server—Server mode. · broadcast—Broadcast or multicast server mode. · bclient—Broadcast or multicast client mode.
local poll interval	Polling interval of the local device, in seconds. The value displayed is a power of 2. For example, if the displayed value is 6, the poll interval of the local device is 2⁶, or 64 seconds.
Peer mode	Operation mode of the peer device: · unspec—The mode is unspecified. · active—Active mode. · passive—Passive mode. · client—Client mode. · server—Server mode. · broadcast—Broadcast or multicast server mode. · bclient—Broadcast or multicast client mode.
peer poll interval	Polling interval of the peer device, in seconds. The value displayed is a power of 2. For example, if the displayed value is 6, the poll interval of the local device is 2⁶, or 64 seconds.
Offset	Offset of the system clock relative to the reference clock, in milliseconds.
roundtrip delay	Roundtrip delay from the local device to the NTP server, in milliseconds.
dispersion	Maximum error of the system clock relative to the reference clock.
Root roundtrip delay	Roundtrip delay from the local device to the primary reference source, in milliseconds.
root dispersion	Maximum error of the system clock relative to the primary reference clock, in milliseconds.
Reachabilities	Reachability count of the clock source. 0 indicates that the clock source is unreachable.
sync distance	Synchronization distance relative to the upper-level clock, in seconds, and calculated from dispersion and roundtrip delay values.
Precision	Accuracy of the system clock.
version	NTP version in the range of 1 to 4.
source interface	Source interface. If the source interface is not specified, this field is Not specified.
Reftime	Reference timestamp in the NTP message.
Orgtime	Originate timestamp in the NTP message.
Rcvtime	Receive timestamp in the NTP message.
Xmttime	Transmit timestamp in the NTP message.
Filter order	Sample information order.
Reference clock status	Status of the local clock. The field is displayed only when you use the ntp-service refclock-master command to set the local clock as a reference clock. When the reach field of the local clock is 255, the field is displayed as working normally. Otherwise, the field is displayed as working abnormally.
Total sessions	Total number of associations.

display ntp-service status

Use display ntp-service status to display NTP service status.

Syntax

display ntp-service status

View

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NTP service status after time synchronization.

<Sysname> display ntp-service status

Clock status: synchronized

Clock stratum: 2

System peer: LOCAL(0)

Local mode: client

Reference clock ID: 127.127.1.0

Leap indicator: 00

Clock jitter: 0.000977 s

Stability: 0.000 pps

Clock precision: 2^-10

Root delay: 0.00000 ms

Root dispersion: 3.96367 ms

Reference time: d0c5fc32.92c70b1e Wed, Dec 29 2010 18:28:02.573

# Display the NTP service status when time is not synchronized.

<Sysname> display ntp-service status

Clock status: unsynchronized

Clock stratum: 16

Reference clock ID: none

Clock jitter: 0.000000 s

Stability: 0.000 pps

Clock precision: 2^-10

Root delay: 0.00000 ms

Root dispersion: 0.00002 ms

Reference time: d0c5fc32.92c70b1e Wed, Dec 29 2010 18:28:02.573

Table 5 Command output

Field	Description
Clock status	Status of the system clock: · synchronized—The system clock has been synchronized. · unsynchronized—The system clock has not been synchronized.
Clock stratum	Stratum level of the system clock.
System peer	IP address of the selected NTP server.
Local mode	Operation mode of the local device: · unspec—The mode is unspecified. · active—Active mode. · passive—Passive mode. · client—Client mode. · server—Server mode. · broadcast—Broadcast or multicast server mode. · bclient—Broadcast or multicast client mode.
Reference clock ID	For an IPv4 NTP server: The field represents the IP address of the remote server when the local device is synchronized to a remote NTP server. The field represents the local clock when the local device uses the local clock as a reference source. · When the local clock has a stratum level of 1, this field displays Local. · When the local clock has any other stratum, this field displays the IP address of the local clock. For an IPv6 NTP server: The field represents the MD5 digest of the first 32 bits of the IPv6 address of the remote server when the local device is synchronized to a remote IPv6 NTP server. The field represents the local clock when the local device uses the local clock as a reference source. · When the local clock has a stratum level of 1, this field displays Local. · When the local clock has any other stratum, this field displays the MD5 digest of the first 32 bits of the IPv6 address of the local clock.
Leap indicator	Alarming status: · 00—Normal. · 01—Leap second, indicates that the last minute in a day has 61 seconds. · 10—Leap second, indicates that the last minute in a day has 59 seconds. · 11—Time is not synchronized.
Clock jitter	Difference between the system clock and reference clock, in seconds.
Stability	Clock frequency stability. A lower value represents better stability.
Clock precision	Accuracy of the system clock.
Root delay	Roundtrip delay from the local device to the primary reference source, in milliseconds.
Root dispersion	Maximum error of the system clock relative to the primary reference source, in milliseconds.
Reference time	Reference timestamp.

display ntp-service trace

Use display ntp-service trace to display brief information about each NTP server from the local device back to the primary reference source.

Syntax

display ntp-service trace

View

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display brief information about each NTP server from the local device back to the primary reference source.

<Sysname> display ntp-service trace

Server 127.0.0.1

Stratum 3, jitter 0.000, synch distance 0.0000.

Server 3000::32

Stratum 2 , jitter 790.00, synch distance 0.0000.

RefID 127.127.1.0

The output shows that server 127.0.0.1 is synchronized to server 3000::32, and server 3000::32 is synchronized to the local clock.

Table 6 Command output

Field	Description
Server	IP address of the NTP server.
Stratum	Stratum level of the NTP server.
jitter	Root mean square (RMS) value of the clock offset relative to the upper-level clock, in seconds.
synch distance	Synchronization distance relative to the upper-level NTP server, in seconds, calculated from dispersion and roundtrip delay values.
RefID	Identifier of the primary reference source. When the stratum level of the primary reference clock is 0, it is displayed as Local. Otherwise, it is displayed as the IP address of the primary reference clock.

ntp-service acl

Use ntp-service acl to configure the right for peer devices to access the NTP services on the local device.

Use undo ntp-service acl to remove the configured NTP service access right.

Syntax

ntp-service { peer | query | server | synchronization } acl acl-number

undo ntp-service { peer | query | server | synchronization } [acl acl-number]

Default

The right for peer devices to access the NTP services on the local device is peer.

Views

System view

Predefined user roles

network-admin

Parameters

peer: Allows time requests and NTP control queries (such as alarms, authentication status, and time server information) from a peer device and allows the local device to synchronize itself to a peer device.

query: Allows only NTP control queries from a peer device to the local device.

server: Allows time requests and NTP control queries from a peer device, but does not allow the local device to synchronize itself to a peer device.

synchronization: Allows only time requests from a system whose address passes the access list criteria.

acl acl-number: Specifies an ACL. The peer devices that match the ACL have the access right specified in the command. The acl-number argument represents a basic ACL number in the range of 2000 to 2999.

Usage guidelines

When the device receives an NTP request, it matches the request against the access rights in order from the least restrictive to the most restrictive: peer, server, synchronization, and query.

· If no NTP access control is configured, the peer access right applies.

· If the IP address of the peer device matches a permit statement in an ACL, the access right is granted to the peer device. If a deny statement or no ACL is matched, no access right is granted.

· If no IPv4 ACL is specified for an access right or the ACL specified for the access right is not created, the access right is not granted.

· If none of the IPv4 ACLs specified for the access rights is created, the peer access right applies.

· If none of the IPv4 ACLs specified for the access rights contains rules, no access right is granted.

The ntp-service acl command provides minimal security for a system running NTP. A more secure method is NTP authentication.

Examples

# Configure the peer devices on subnet 10.10.0.0/16 to have full access to the local device.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-basic-2001] quit

[Sysname] ntp-service access peer acl 2001

Related commands

· ntp-service authentication enable

· ntp-service authentication-keyid

· ntp-service reliable authentication-keyid

ntp-service authentication enable

Use ntp-service authentication enable to enable NTP authentication.

Use undo ntp-service authentication enable to disable NTP authentication.

Syntax

ntp-service authentication enable

undo ntp-service authentication enable

Default

NTP authentication is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Enable NTP authentication in networks that require time synchronization security to make sure NTP clients are synchronized only to authenticated NTP servers.

To authenticate an NTP server, set an authentication key and specify it as a trusted key.

Examples

# Enable NTP authentication.

<Sysname> system-view

[Sysname] ntp-service authentication enable

Related commands

· ntp-service authentication-keyid

· ntp-service reliable authentication-keyid

ntp-service authentication-keyid

Use ntp-service authentication-keyid to set an NTP authentication key.

Use undo ntp-service authentication-keyid to remove an NTP authentication key.

Syntax

ntp-service authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *

undo ntp-service authentication-keyid keyid

Default

No NTP authentication key exists.

Views

System view

Predefined user roles

network-admin

Parameters

keyid: Specifies an authentication key ID in the range of 1 to 4294967295.

authentication-mode: Specifies an authentication algorithm.

· hmac-sha-1: Specifies the HMAC-SHA-1 algorithm.

· hmac-sha-256: Specifies the HMAC-SHA-256 algorithm.

· hmac-sha-384: Specifies the HMAC-SHA-384 algorithm.

· hmac-sha-512: Specifies the HMAC-SHA-512 algorithm.

· md5: Specifies the MD5 algorithm.

cipher: Specifies an authentication key in encrypted form.

simple: Specifies an authentication key in plaintext form. For security purposes, the authentication key specified in plaintext form will be stored in encrypted form.

string: Specifies a case-sensitive authentication key. Its plaintext form is a string of 1 to 32 characters. Its encrypted form is a string of 1 to 73 characters.

acl ipv4-acl-number: Specifies an IPv4 basic ACL by its number in the range of 2000 to 2999. Only the devices permitted by the ACL can use the key ID for authentication.

ipv6 acl ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999. Only the devices permitted by the ACL can use the key ID for authentication.

Usage guidelines

For time synchronization security, you need to enable NTP authentication on systems running NTP to ensure that NTP clients are synchronized only to authenticated NTP servers.

The key ID in the message from the peer device identifies the key used for authentication. The acl ipv4-acl-number and acl ipv6-acl-number options are used to identify the peer device that can use the key ID.

· If the specified IPv4 or IPv6 ACL does not exist, any device can use the key ID for authentication.

· If the specified IPv4 or IPv6 ACL does not contain any rules, no device can use the key ID for authentication.

You can set a maximum of 128 NTP authentication keys.

To ensure a successful NTP authentication, configure the same authentication key ID, algorithm, and key on the time server and client. Make sure the peer device is allowed to use the key ID for authentication on the local device.

After you specify an NTP authentication key, use the ntp-service reliable authentication-keyid command to configure the key as a trusted key. The key automatically changes to untrusted after you delete the key. You do not need to execute the undo ntp-service reliable authentication-keyid command.

Examples

# Set a plaintext MD5 authentication key, with the key ID of 10 and key value of BetterKey.

<Sysname> system-view

[Sysname] ntp-service authentication enable

[Sysname] ntp-service authentication-keyid 10 authentication-mode md5 simple BetterKey

Related commands

· ntp-service authentication enable

· ntp-service reliable authentication-keyid

ntp-service broadcast-client

Use ntp-service broadcast-client to configure the device to operate in NTP broadcast client mode and use the current interface to receive NTP broadcast packets.

Use undo ntp-service broadcast-client to remove the configuration.

Syntax

ntp-service broadcast-client

undo ntp-service broadcast-client

Default

The device does not operate in any NTP association mode.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

After you configure the command, the device listens to NTP messages sent by the NTP broadcast server and is synchronized based on the received NTP messages.

If you have configured the device to operate in broadcast client mode on an interface with the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in broadcast client mode and receive NTP broadcast messages on VLAN-interface 1.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] ntp-service broadcast-client

Related commands

ntp-service broadcast-server

Use ntp-service broadcast-server to configure the device to operate in NTP broadcast server mode and use the current interface to send NTP broadcast packets.

Use undo ntp-service broadcast-server to remove the configuration.

Syntax

ntp-service broadcast-server [ authentication-keyid keyid | version number ] *

undo ntp-service broadcast-server

Default

The device does not operate in any NTP association mode.

Views

Interface view

Predefined user roles

network-admin

Parameters

authentication-keyid keyid: Specifies the key ID to be used for sending broadcast messages to broadcast clients, where keyid is in the range of 1 to 4294967295. If this option is not specified, the local device cannot synchronize broadcast clients enabled with NTP authentication.

version number: Specifies the NTP version. The value range for the number argument is 1 to 4, and the default is 4.

Usage guidelines

After you configure the command, the device periodically sends NTP messages to the broadcast address 255.255.255.255.

If you have configured the device to operate in broadcast server mode on an interface with the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in broadcast server mode and send NTP broadcast messages on VLAN-interface 1, using key 4 for encryption, and set the NTP version to 4.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] ntp-service broadcast-server authentication-keyid 4 version 4

Related commands

ntp-service broadcast-client

ntp-service dscp

Use ntp-service dscp to set a DSCP value for IPv4 NTP packets.

Use undo ntp-service dscp to restore the default.

Syntax

ntp-service dscp dscp-value

undo ntp-service dscp

Default

The DSCP value for IPv4 NTP packets is 48.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Sets a DSCP value in the range of 0 to 63 for IPv4 NTP packets.

Usage guidelines

The DSCP value is included in the ToS field of an IPv4 packet to identify the packet priority.

Examples

# Set the DSCP value for IPv4 NTP packets to 30.

<Sysname> system-view

[Sysname] ntp-service dscp 30

ntp-service enable

Use ntp-service enable to enable the NTP service.

Use undo ntp-service enable to disable the NTP service.

Syntax

ntp-service enable

undo ntp-service enable

Default

The NTP service is not enabled.

Views

System view

Predefined user roles

network-admin

Examples

# Enable the NTP service.

<Sysname> system-view

[Sysname] ntp-service enable

ntp-service inbound enable

Use ntp-service inbound enable to enable an interface to process NTP messages.

Use undo ntp-service inbound enable to disable an interface from processing NTP messages.

Syntax

ntp-service inbound enable

undo ntp-service inbound enable

Default

An interface processes NTP messages.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

To disable an interface on the device from synchronizing the peer device in the corresponding subnet or disable the device from being synchronized by the peer device in the subnet corresponding to an interface, execute the undo ntp-service inbound enable command on the interface.

Examples

# Disable VLAN-interface 1 from processing NTP messages.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] undo ntp-service inbound enable

ntp-service ipv6 acl

Use ntp-service ipv6 acl to configure the right for peer devices to access the IPv6 NTP services on the local device.

Use undo ntp-service ipv6 acl to remove the configured IPv6 NTP service access right.

Syntax

ntp-service ipv6 { peer | query | server | synchronization } acl acl-number

undo ntp-service ipv6 { peer | query | server | synchronization } [ acl acl-number ]

Default

The right for peer devices to access the IPv6 NTP services on the local device is peer.

Views

System view

Predefined user roes

network-admin

Parameters

peer: Allows time requests and NTP control queries (such as alarms, authentication status, and time server information) and allows the local device to synchronize itself to a peer device.

query: Allows only NTP control queries from a peer device to the local device.

server: Allows time requests and NTP control queries, but does not allow the local device to synchronize itself to a peer device.

synchronization: Allows only time requests from a system whose address passes the access list criteria.

Usage guidelines

When the device receives an IPv6 NTP request, it matches the request against the access rights in order from the least restrictive to the most restrictive: peer, server, synchronization, and query.

· If no IPv6 NTP access control is configured, the peer access right applies.

· If the IP address of the peer device matches a permit statement in an IPv6 ACL, the access right is granted to the peer device. If a deny statement or no IPv6 ACL is matched, no access right is granted.

· If no IPv6 ACL is specified for an access right or the IPv6 ACL specified for the access right is not created, the access right is not granted.

· If none of the IPv6 ACLs specified for the access rights is created, the peer access right applies.

· If none of the IPv6 ACLs specified for the access rights contains rules, no access right is granted.

The ntp-service ipv6 acl command provides a minimum security method. NTP authentication is more secure.

Examples

# Configure the peer devices on subnet 2001::1 to have full access to the local device.

<Sysname> system-view

[Sysname] acl ipv6 number 2001

[Sysname-acl6-basic-2001] rule permit source 2001::1 64

[Sysname-acl6-basic-2001] quit

[Sysname] ntp-service ipv6 peer acl 2001

Related commands

· ntp-service authentication enable

· ntp-service authentication-keyid

· ntp-service reliable authentication-keyid

ntp-service ipv6 dscp

Use ntp-service ipv6 dscp to configure a DSCP value for IPv6 NTP packets.

Use undo ntp-service ipv6 dscp to restore the default.

Syntax

ntp-service ipv6 dscp dscp-value

undo ntp-service ipv6 dscp

Default

The DSCP value for IPv6 NTP packets is 56.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies a DSCP value in the range of 0 to 63 for IPv6 NTP packets.

Usage guidelines

The DSCP value is included in the Traffic Class field of an IPv6 packet to identify the packet priority.

Examples

# Set the DSCP value for IPv6 NTP packets to 30.

<Sysname> system-view

[Sysname] ntp-service ipv6 dscp 30

ntp-service ipv6 inbound enable

Use ntp-service ipv6 inbound enable to enable an interface to process IPv6 NTP messages.

Use undo ntp-service ipv6 inbound enable to disable an interface from processing IPv6 NTP messages.

Syntax

ntp-service ipv6 inbound enable

undo ntp-service ipv6 inbound enable

Default

An interface processes IPv6 NTP messages.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

To disable an interface on the device from synchronizing the peer devices in the corresponding subnet or disable the device from being synchronized by the peer devices in the subnet corresponding to an interface, execute the undo ntp-service ipv6 inbound enable command on the interface.

Examples

# Disable VLAN-interface 1 from processing IPv6 NTP messages.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] undo ntp-service ipv6 inbound enable

ntp-service ipv6 multicast-client

Use ntp-service ipv6 multicast-client to configure the device to operate in IPv6 NTP multicast client mode and use the current interface to receive IPv6 NTP multicast packets.

Use undo ntp-service ipv6 multicast-client to remove the configuration.

Syntax

ntp-service ipv6 multicast-client ipv6-multicast-address

undo ntp-service ipv6 multicast-client ipv6-multicast-address

Default

The device does not operate in any NTP association mode.

View

Interface view

Predefined user roles

network-admin

Parameters

ipv6-multicast-address: Specifies an IPv6 multicast IP address. An IPv6 broadcast client and an IPv6 broadcast server must be configured with the same multicast address.

Usage guidelines

After you configure the command, the device listens to IPv6 NTP messages using the specified multicast address as the destination address. It is synchronized based on the received IPv6 NTP messages.

If you have configured the device to operate in IPv6 multicast client mode on an interface by using the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in IPv6 multicast client mode and receive IPv6 NTP multicast messages with the destination FF21::1 on VLAN-interface 1.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] ntp-service ipv6 multicast-client ff21::1

Related commands

ntp-service ipv6 multicast-server

Use ntp-service ipv6 multicast-server to configure the device to operate in IPv6 NTP multicast server mode and use the current interface to send IPv6 NTP multicast packets.

Use undo ntp-service ipv6 multicast-server to remove the configuration.

Syntax

ntp-service ipv6 multicast-server ipv6-multicast-address [ authentication-keyid keyid | ttl ttl-number ] *

undo ntp-service ipv6 multicast-server ipv6-multicast-address

Default

The device does not operate in any NTP association mode.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-multicast-address: Specifies an IPv6 multicast IP address. An IPv6 multicast client and server must be configured with the same multicast address.

authentication-keyid keyid: Specifies the key ID to be used for sending multicast messages to multicast clients, where keyid is in the range of 1 to 4294967295. If this option is not specified, the local device cannot synchronize clients enabled with NTP authentication.

ttl ttl-number: Specifies the TTL of NTP multicast messages. The value range for the ttl-number argument is 1 to 255, and the default is 16.

Usage guidelines

After you configure the command, the device periodically sends NTP messages to the specified IPv6 multicast address.

If you have configured the device to operate in IPv6 multicast server mode on an interface with the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in IPv6 multicast server mode and send IPv6 NTP multicast messages on VLAN-interface 1 to the multicast address FF21::1, using key 4 for encryption.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] ntp-service ipv6 multicast-server ff21::1 authentication-keyid 4

Related commands

ntp-service ipv6 multicast-client

ntp-service ipv6 source

Use ntp-service ipv6 source to specify the source interface for IPv6 NTP messages.

Use undo ntp-service ipv6 source to restore the default.

Syntax

ntp-service ipv6 source interface-type interface-number

undo ntp-service ipv6 source

Default

No source interface is specified for IPv6 NTP messages. The device automatically selects the source IP address for IPv6 NTP messages. For more information, see RFC 3484.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

If you specify the source interface for IPv6 NTP messages, the device sets the source IP address of the IPv6 NTP messages as the primary IP address of the specified interface when sending the IPv6 NTP messages.

When the device responds to an IPv6 NTP request, the source IPv6 address of the NTP response is always the IPv6 address of the interface that has received the IPv6 NTP request.

If you do not want the IPv6 address of a certain interface on the local device to become the destination address for response messages, use the command.

· If you have specified the source interface for IPv6 NTP messages in the ntp-service ipv6 unicast-server or ntp-service ipv6 unicast-peer command, the interface specified in the ntp-service ipv6 unicast-server or ntp-service ipv6 unicast-peer command works as the source interface for IPv6 NTP messages. If you have configured the ntp-service ipv6 broadcast-server or ntp-service ipv6 multicast-server command in an interface view, the interface acts the source interface for the broadcast or multicast NTP messages.

· If the specified source interface is down, the device does not send IPv6 NTP messages.

Examples

# Specify the source interface of IPv6 NTP messages as VLAN-interface 1.

<Sysname> system-view

[Sysname] ntp-service ipv6 source vlan-interface 1

ntp-service ipv6 unicast-peer

Use ntp-service ipv6 unicast-peer to specify an IPv6 symmetric-passive peer for the device.

Use undo ntp-service ipv6 unicast-peer to remove the IPv6 symmetric-passive peer specified for the device.

Syntax

ntp-service ipv6 unicast-peer { peer-name | ipv6-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | priority | source interface-type interface-number ] *

undo ntp-service ipv6 unicast-peer { peer-name | ipv6-address } [ vpn-instance vpn-instance-name ]

Default

No IPv6 symmetric-passive peer is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

peer-name: Specifies the host name of the symmetric-passive peer, a case-insensitive string of 1 to 253 characters.

ipv6-address: Specifies the IPv6 address of the symmetric-passive peer. It must be a unicast address, rather than a multicast address.

vpn-instance vpn-instance-name: Specifies the VPN instance to which the symmetric-passive peer belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the symmetric-passive peer is on the public network, do not specify this option.

authentication-keyid keyid: Specifies the key ID to be used for sending NTP messages to the peer, where keyid is in the range of 1 to 4294967295. If this option is not specified, the local device and the peer do not authenticate each other.

priority: Specifies the peer specified by ip-address or peer-name as the first choice under the same condition.

source interface-type interface-number: Specifies the source interface for IPv6 NTP messages. If the specified passive peer address is not a link local address, the source IPv6 address for IPv6 NTP messages sent by the local device is the IPv6 address of the specified source interface. If the specified passive peer address is a link local address, the IPv6 NTP messages are sent from the specified source interface. The interface-type interface-number argument represents the interface type and number. If you do not specify an interface, the device automatically selects the source IPv6 address of IPv6 NTP messages. For more information, see RFC 3484.

Usage guidelines

When you specify an IPv6 passive peer for the device, the device and its IPv6 passive peer can be synchronized to each other. If their clocks are in synchronized state, the clock with a high stratum level is synchronized to the clock with a lower stratum level.

To synchronize the PE to a PE or CE in a VPN, provide the vpn-instance vpn-instance-name option in the command.

If you include the vpn-instance vpn-instance-name option in the undo ntp-service ipv6 unicast-peer command, the command removes the symmetric-passive peer with the IPv6 address of ipv6-address in the specified VPN. If you do not include the vpn-instance vpn-instance-name option in the command, the command removes the symmetric-passive peer with the IPv6 address of ipv6-address in the public network.

Examples

# Specify the device with the IPv6 address of 2001::1 as the symmetric-passive peer of the device, and specify the source interface for IPv6 NTP messages as VLAN-interface 1.

<Sysname> system-view

[Sysname] ntp-service ipv6 unicast-peer 2001::1 source vlan-interface 1

Related commands

· ntp-service authentication enable

· ntp-service authentication-keyid

· ntp-service reliable authentication-keyid

ntp-service ipv6 unicast-server

Use ntp-service ipv6 unicast-server to specify an IPv6 NTP server for the device.

Use undo ntp-service ipv6 unicast-server to remove an IPv6 NTP server specified for the device.

Syntax

ntp-service ipv6 unicast-server { server-name | ipv6-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | priority | source interface-type interface-number ] *

undo ntp-service ipv6 unicast-server { server-name | ipv6-address } [ vpn-instance vpn-instance-name ]

Default

No IPv6 NTP server is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies the host name of the NTP server, a case-insensitive string of 1 to 253 characters.

ipv6-address: Specifies the IPv6 address of the NTP server. It must be a unicast address, rather than a multicast address.

vpn-instance vpn-instance-name: Specifies the VPN instance to which the NTP server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the NTP server is on the public network, do not specify this option.

authentication-keyid keyid: Specifies the key ID to be used for sending NTP messages to the NTP server, where keyid is in the range of 1 to 4294967295. If this option is not specified, the local device and NTP server do not authenticate each other.

priority: Specifies this NTP server as the first choice under the same condition.

source interface-type interface-number: Specifies the source interface for IPv6 NTP messages. If the specified IPv6 NTP server address is not a link local address, the source IPv6 address for IPv6 NTP messages sent by the local device to the NTP server is the IPv6 address of the specified source interface. If the specified IPv6 NTP server address is a link local address, the IPv6 NTP messages are sent from the specified source interface, and the source address of the messages is the link local address of the interface. The interface-type interface-number argument represents the interface type and number. If you do not specify an interface, the device automatically selects the source IPv6 address of IPv6 NTP messages. For more information, see RFC 3484.

Usage guidelines

When you specify an IPv6 NTP server for the device, the device is synchronized to the IPv6 NTP server, but the IPv6 NTP server is not synchronized to the device.

To synchronize the PE to a PE or CE in a VPN, specify the vpn-instance vpn-instance-name option in the command.

If you include the vpn-instance vpn-instance-name option in the undo ntp-service unicast-server command, the command removes the NTP server with the IP address of ip-address in the specified VPN. If you do not include the vpn-instance vpn-instance-name option in the command, the command removes the NTP server with the IP address of ip-address in the public network.

If the specified IPv6 address of the NTP server is a link local address, you must specify the source interface for NTP messages and cannot specify a VPN for the NTP server.

Examples

# Specify the IPv6 NTP server 2001::1 for the device.

<Sysname> system-view

[Sysname] ntp-service ipv6 unicast-server 2001::1

Related commands

· ntp-service authentication enable

· ntp-service authentication-keyid

· ntp-service reliable authentication-keyid

ntp-service max-dynamic-sessions

Use ntp-service max-dynamic-sessions to set the maximum number of dynamic NTP sessions allowed to be established locally.

Use undo ntp-service max-dynamic-sessions to restore the default.

Syntax

ntp-service max-dynamic-sessions number

undo ntp-service max-dynamic-sessions

Default

The maximum number of dynamic NTP sessions is 100.

View

System view

Predefined user roles

network-admin

Parameters

number: Sets the maximum number of dynamic NTP associations allowed to be established, in the range of 0 to 100.

Usage guidelines

A single device can have a maximum of 128 concurrent associations, including static associations and dynamic associations. A static association refers to an association that a user has manually created by using an NTP command, while a dynamic association is a temporary association created by the system during operation.

Examples

# Set the maximum number of dynamic NTP associations allowed to be established to 50.

<Sysname> system-view

[Sysname] ntp-service max-dynamic-sessions 50

Related commands

display ntp-service sessions

ntp-service multicast-client

Use ntp-service multicast-client to configure the device to operate in NTP multicast client mode and use the current interface to receive NTP multicast packets.

Use undo ntp-service multicast-client to remove the configuration.

Syntax

ntp-service multicast-client [ ip-address ]

undo ntp-service multicast-client [ ip-address ]

Default

The device does not operate in any NTP association mode.

View

Interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a multicast IP address. The default is 224.0.1.1. A multicast server and client must be configured with the same multicast IP address.

Usage guidelines

After you configure the command, the device listens to NTP messages using the specified multicast address as the destination address.

If you have configured the device to operate in multicast client mode on an interface with the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in multicast client mode and receive NTP multicast messages on VLAN-interface 1, and set the multicast address to 224.0.1.1.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] ntp-service multicast-client 224.0.1.1

Related commands

ntp-service multicast-server

Use ntp-service multicast-server to configure the device to operate in NTP multicast server mode and use the current interface to send NTP multicast packets.

Use undo ntp-service multicast-server to remove the configuration.

Syntax

ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | ttl ttl-number | version number ] *

undo ntp-service multicast-server [ ip-address ]

Default

The device does not operate in any NTP association mode.

View

Interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a multicast IP address. The default is 224.0.1.1. A multicast server and client must be configured with the same multicast IP address.

ttl ttl-number: Specifies the TTL of NTP multicast messages, where ttl-number is in the range of 1 to 255. The default value is 16.

version number: Specifies the NTP version. The value range for the number argument is 1 to 4, and the default is 4.

Usage guidelines

After you configure the command, the device periodically sends NTP messages to the specified multicast address.

If you have configured the device to operate in multicast server mode on an interface with the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in multicast server mode and send NTP multicast messages on VLAN-interface 1 to the multicast address 224.0.1.1, using key 4 for encryption, and set the NTP version to 4.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] ntp-service multicast-server 224.0.1.1 version 4 authentication-keyid 4

Related commands

ntp-service multicast-client

ntp-service refclock-master

Use ntp-service refclock-master to configure the local clock as a reference source for other devices.

Use undo ntp-service refclock-master to remove the configuration.

Syntax

ntp-service refclock-master [ ip-address ] [ stratum ]

undo ntp-service refclock-master [ ip-address ]

Default

The device does not use its local clock as a reference clock.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: IP address of the local clock, which is 127.127.1.u, where u is the NTP process ID in the range of 0 to 3. If you do not specify ip-address, it defaults to 127.127.1.0.

stratum: Stratum level of the local clock, in the range of 1 to 15. The default value is 8. A lower stratum level represents a higher clock accuracy.

Usage guidelines

Usually an NTP server that gets its time from an authoritative time source, such as an atomic clock has stratum 1 and operates as the primary time server to provide time synchronization for other devices in the network. The accuracy of each server is the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level.

If the devices in a network cannot synchronize to an authoritative time source, you can select a device that has a relatively accurate clock from the network, and use the local clock of the device as the reference clock to synchronize other devices in the network.

Use the command with caution to avoid time errors. As a best practice, adjust the local system time to a correct value before you execute the command.

Examples

# Specify the local clock as the reference source, with the stratum level 2.

<Sysname> system-view

[Sysname] ntp-service refclock-master 2

ntp-service reliable authentication-keyid

Use ntp-service reliable authentication-keyid to specify the created authentication key as a trusted key.

Use undo ntp-service reliable authentication-keyid to remove the configuration.

Syntax

ntp-service reliable authentication-keyid keyid

undo ntp-service reliable authentication-keyid keyid

Default

No trust key is specified.

Views

System view

Predefined user roles

network-admin

Parameters

keyid: Specifies an authentication key number in the range of 1 to 4294967295.

Usage guidelines

When NTP authentication is enabled, a client can be synchronized only to a server that can provide a trusted authentication key.

Before you use the command, make sure NTP authentication is enabled and an authentication key is configured. The key automatically changes to untrusted after you delete the key. In this case, you do not need to execute the undo ntp-service reliable authentication-keyid command.

You can set a maximum of 128 keys by executing the command.

Examples

# Enable NTP authentication, specify the MD5 algorithm, with the key ID of 37 and key value of BetterKey.

<Sysname> system-view

[Sysname] ntp-service authentication enable

[Sysname] ntp-service authentication-keyid 37 authentication-mode md5 simple BetterKey

# Specify this key as a trusted key.

[Sysname] ntp-service reliable authentication-keyid 37

Related commands

· ntp-service authentication enable

· ntp-service authentication-keyid

ntp-service source

Use ntp-service source to specify the source interface for NTP messages.

Use undo ntp-service source to restore the default.

Syntax

ntp-service source interface-type interface-number

undo ntp-service source

Default

No source interface is specified for NTP messages. The device searches the routing table for the outbound interface of NTP messages, and uses the primary IP address of the outbound interface as the source IP address for NTP messages.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

If you specify the source interface for NTP messages, the device sets the source IP address of the NTP messages as the primary IP address of the specified interface when sending the NTP messages.

When the device responds to an NTP request, the source IP address of the NTP response is always the IP address of the interface that has received the NTP request.

If you do not want the IP address of an interface on the local device to become the destination address for response messages, use the command.

· If you have specified the source interface for NTP messages in the ntp-service unicast-server or ntp-service unicast-peer command, the interface specified in the ntp-service unicast-server or ntp-service unicast-peer command works as the source interface for NTP messages.

· If you have configured the ntp-service broadcast-server or ntp-service multicast-server command, the source interface for the broadcast or multicast NTP messages is the interface configured with the respective command.

· If the specified source interface is down, the device does not send NTP messages.

Examples

# Specify the source interface for NTP messages as VLAN-interface 1.

<Sysname> system-view

[Sysname] ntp-service source vlan-interface 1

ntp-service unicast-peer

Use ntp-service unicast-peer to specify a symmetric-passive peer for the device.

Use undo ntp-service unicast-peer to remove the symmetric-passive peer specified for the device.

Syntax

ntp-service unicast-peer { peer-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | priority | source interface-type interface-number | version number ] *

undo ntp-service unicast-peer { peer-name | ip-address } [ vpn-instance vpn-instance-name ]

Default

No symmetric-passive peer is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

peer-name: Specifies the host name of the symmetric-passive peer, a case-insensitive string of 1 to 253 characters.

ip-address: Specifies the IP address of the symmetric-passive peer. It must be a unicast address, rather than a broadcast address, a multicast address, or the IP address of the local clock.

priority: Specifies the peer specified by ip-address or peer-name as the first choice under the same condition.

source interface-type interface-number: Specifies the source interface for NTP messages. In an NTP message the local device sends to its peer, the source IP address is the primary IP address of this interface. The interface-type interface-number argument represents the interface type and number.

version number: Specifies the NTP version. The value range for the number argument is 1 to 4, and the default is 4.

Usage guidelines

When you specify a passive peer for the device, the device and its passive peer can be synchronized to each other. If their clocks are in synchronized state, the clock with a high stratum level is synchronized to the clock with a lower stratum level.

To synchronize the PE to a PE or CE in a VPN, provide vpn-instance vpn-instance-name in your command.

If you include vpn-instance vpn-instance-name in the undo ntp-service unicast-peer command, the command removes the symmetric-passive peer with the IP address of ip-address in the specified VPN. If you do not include vpn-instance vpn-instance-name in the command, the command removes the symmetric-passive peer with the IP address of ip-address in the public network.

Examples

# Specify the device with the IP address of 10.1.1.1 as the symmetric-passive peer of the device, configure the device to run NTP version 4, and specify the source interface of NTP messages as VLAN-interface 1.

<Sysname> system-view

[Sysname] ntp-service unicast-peer 10.1.1.1 version 4 source-interface vlan-interface 1

Related commands

· ntp-service authentication enable

· ntp-service authentication-keyid

· ntp-service reliable authentication-keyid

ntp-service unicast-server

Use ntp-service unicast-server to specify an NTP server for the device.

Use undo ntp-service unicast-server to remove an NTP server specified for the device.

Syntax

ntp-service unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | priority | source interface-type interface-number | version number ] *

undo ntp-service unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ]

Default

No NTP server is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies the host name of the NTP server, a case-insensitive string of 1 to 253 characters.

ip-address: Specifies the IP address of the NTP server. It must be a unicast address, rather than a broadcast address, a multicast address, or the IP address of the local clock.

authentication-keyid keyid: Specifies the key ID to be used for sending NTP messages to the NTP server, where keyid is in the range of 1 to 4294967295. If the option is not specified, the local device and NTP server do not authenticate each other.

priority: Specifies this NTP server as the first choice under the same condition.

source interface-type interface-number: Specifies the source interface for NTP messages. For an NTP message the local device sends to the NTP server, the source IP address is the primary IP address of this interface. The interface-type interface-number argument represents the interface type and number.

version number: Specifies the NTP version. The value range for the number argument is 1 to 4, and the default is 4.

Usage guidelines

When you specify an NTP server for the device, the device is synchronized to the NTP server, but the NTP server is not synchronized to the device.

To synchronize the PE to a PE or CE in a VPN, provide vpn-instance vpn-instance-name in your command.

Examples

# Specify NTP server 10.1.1.1 for the device, and configure the device to run NTP version 4.

<Sysname> system-view

[Sysname] ntp-service unicast-server 10.1.1.1 version 4

Related commands

· ntp-service authentication enable

· ntp-service authentication-keyid

· ntp-service reliable authentication-keyid

SNTP commands

display sntp ipv6 sessions

Use display sntp ipv6 sessions to display information about all IPv6 SNTP associations.

Syntax

display sntp ipv6 sessions

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about all IPv6 SNTP associations.

<Sysname> display sntp ipv6 sessions

SNTP server: 2001::1

Stratum: 16

Version: 4

Last receive time: No packet was received.

SNTP server: 2001::100

Stratum: 3

Version: 4

Last receive time: Fri, Oct 21 2011 11:28:28.058 (Synced)

Table 7 Command output

Field	Description
SNTP server	SNTP server (NTP server). If this field displays ::, the IPv6 address of the NTP server has not been resolved successfully.
Stratum	Stratum level of the NTP server, which determines the clock accuracy. It is in the range of 1 to 16. A lower stratum level represents a higher clock accuracy. A clock with stratum level 16 is not synchronized.
Version	SNTP version.
Last receive time	Time when the last message was received: · Synced—The local clock is synchronized to the NTP server. · No packet was received—The device has not received any SNTP session information from the server.

display sntp sessions

Use display sntp sessions to display information about all IPv4 SNTP associations.

Syntax

display sntp sessions

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about all IPv4 SNTP associations.

<Sysname> display sntp sessions

SNTP server Stratum Version Last receive time

1.0.1.11 2 4 Tue, May 17 2011 9:11:20.833 (Synced)

Table 8 Command output

Field	Description
SNTP server	SNTP server (NTP server). If this field displays 0.0.0.0, the IP address of the NTP server has not been resolved successfully.
Stratum	Stratum level of the NTP server, which determines the clock accuracy. It is in the range of 1 to 16. A lower stratum level represents higher clock accuracy. A clock with stratum level 16 is not synchronized.
Version	SNTP version.
Last receive time	Time when the last message was received. Synced means the local clock is synchronized to the NTP server.

sntp authentication enable

Use sntp authentication enable to enable SNTP authentication.

Use undo sntp authentication enable to disable SNTP authentication.

Syntax

sntp authentication enable

undo sntp authentication enable

Default

SNTP authentication is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You need to enable SNTP authentication in networks that require time synchronization security to make sure SNTP clients are synchronized only to authenticated NTP servers.

To authenticate an NTP server, set an authentication key and specify it as a trusted key.

Examples

# Enable SNTP authentication.

<Sysname> system-view

[Sysname] sntp authentication enable

Related commands

· sntp authentication-keyid

· sntp reliable authentication-keyid

sntp authentication-keyid

Use sntp authentication-keyid to set an SNTP authentication key.

Use undo sntp authentication-keyid to remove an SNTP authentication key.

Syntax

sntp authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *

undo sntp authentication-keyid keyid

Default

No SNTP authentication key exists.

Views

System view

Predefined user roles

network-admin

Parameters

keyid: Specifies an authentication key ID in the range of 1 to 4294967295.

authentication-mode: Specifies an authentication algorithm.

· hmac-sha-1: Specifies the HMAC-SHA-1 algorithm.

· hmac-sha-256: Specifies the HMAC-SHA-256 algorithm.

· hmac-sha-384: Specifies the HMAC-SHA-384 algorithm.

· hmac-sha-512: Specifies the HMAC-SHA-512 algorithm.

· md5: Specifies the MD5 algorithm.

cipher: Specifies an authentication key in encrypted form.

simple: Specifies an authentication key in plaintext form. For security purposes, the authentication key specified in plaintext form will be stored in encrypted form.

string: Specifies a case-sensitive authentication key. Its plaintext form is a string of 1 to 32 characters. Its encrypted form is a string of 1 to 73 characters.

acl ipv4-acl-number: Specifies an IPv4 basic ACL by its number in the range of 2000 to 2999. Only the devices permitted by the ACL can use the key ID for authentication.

ipv6 acl ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999. Only the devices permitted by the ACL can use the key ID for authentication.

Usage guidelines

For time synchronization security, you need to enable SNTP authentication on systems running SNTP to ensure that SNTP clients are synchronized only to authenticated NTP servers.

· If the specified IPv4 or IPv6 ACL does not exist, any device can use the key ID for authentication.

· If the specified IPv4 or IPv6 ACL does not contain any rules, no device can use the key ID for authentication.

You can set a maximum of 128 SNTP authentication keys.

To ensure a successful authentication, configure the same authentication key ID, algorithm, and key on the time server and client. Make sure the peer device is allowed to use the key ID for authentication on the local device.

After you configure an SNTP authentication key, use the sntp reliable authentication-keyid command to configure it as a trusted key. The key automatically changes to untrusted after you delete the key. You do not need to execute the undo sntp-service reliable authentication-keyid command.

Examples

# Set an MD5 authentication key, with the key ID of 10 and key value of BetterKey. Input the key in plain text.

<Sysname> system-view

[Sysname] sntp authentication enable

[Sysname] sntp authentication-keyid 10 authentication-mode md5 simple BetterKey

Related commands

· sntp authentication enable

· sntp reliable authentication-keyid

sntp enable

Use sntp enable to enable the SNTP service.

Use undo sntp enable to disable the SNTP service.

Syntax

sntp enable

undo sntp enable

Default

The SNTP service is not enabled.

Views

System view

Predefined user roles

network-admin

Examples

# Enable the SNTP service.

<Sysname> system-view

[Sysname] sntp enable

sntp ipv6 unicast-server

Use sntp ipv6 unicast-server to specify an IPv6 NTP server for the device.

Use undo sntp ipv6 unicast-server to remove the IPv6 NTP server specified for the device.

Syntax

sntp ipv6 unicast-server { server-name | ipv6-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | source interface-type interface-number ] *

undo sntp ipv6 unicast-server { server-name | ipv6-address } [ vpn-instance vpn-instance-name ]

Default

No IPv6 NTP server is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies the host name of the NTP server, a case-insensitive string of 1 to 253 characters.

ipv6-address: Specifies the IPv6 address of the NTP server.

Usage guidelines

When you specify an IPv6 NTP server for the device, the device is synchronized to the NTP server, but the NTP server is not synchronized to the device.

To synchronize the PE to a PE or CE in a VPN, provide the vpn-instance vpn-instance-name option in your command.

If the specified IPv6 address of the NTP server is a link local address, you must specify the source interface for NTP messages and cannot specify a VPN for the NTP server.

Examples

# Specify the IPv6 NTP server 2001::1 for the device.

<Sysname> system-view

[Sysname] sntp ipv6 unicast-server 2001::1

Related commands

· sntp authentication enable

· sntp authentication-keyid

· sntp reliable authentication-keyid

sntp reliable authentication-keyid

Use sntp reliable authentication-keyid to specify the created authentication key as a trusted key.

Use undo sntp reliable authentication-keyid to remove the specified trusted key.

Syntax

sntp reliable authentication-keyid keyid

undo sntp reliable authentication-keyid keyid

Default

No trust key is specified.

Views

System view

Predefined user roles

network-admin

Parameters

keyid: Specifies an authentication key number in the range of 1 to 4294967295.

Usage guidelines

If SNTP is enabled, the SNTP client is synchronized only to an NTP server that provides a trusted key.

Before you use the command, make sure SNTP authentication is enabled and an authentication key is configured. The key automatically changes to untrusted after you delete the key. In this case, you do not need to execute the undo sntp-service reliable authentication-keyid command.

Examples

# Enable NTP authentication, and specify the MD5 encryption algorithm, with the key ID of 37 and key value of BetterKey.

<Sysname> system-view

[Sysname] sntp authentication enable

[Sysname] sntp authentication-keyid 37 authentication-mode md5 simple BetterKey

# Specify this key as a trusted key.

[Sysname] sntp reliable authentication-keyid 37

Related commands

· sntp authentication-keyid

· sntp authentication enable

sntp unicast-server

Use sntp unicast-server to specify an NTP server for the device.

Use undo sntp unicast-server to remove the NTP server.

Syntax

sntp unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | source interface-type interface-number | version number ] *

undo sntp unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ]

Default

No NTP server is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies the host name of the NTP server, a case-insensitive string of 1 to 253 characters.

ip-address: Specifies the IP address of the NTP server. It must be a unicast address, rather than a broadcast address, a multicast address, or the IP address of the local clock.

source interface-type interface-number: Specifies the source interface for NTP messages. In an NTP message the local device sends to the NTP server, the source IP address is the primary IP address of this interface. The interface-type interface-number argument represents the interface type and number.

version number: Specifies the NTP version. The value range for the number argument is 1 to 4, and the default is 4.

Usage guidelines

When you specify an NTP server for the device, the device is synchronized to the NTP server, but the NTP server is not synchronized to the device.

To synchronize the PE to a PE or CE in a VPN, provide vpn-instance vpn-instance-name in your command.

Examples

# Specify NTP server 10.1.1.1 for the device, and configure the device to run NTP version 4.

<Sysname> system-view

[Sysname] sntp unicast-server 10.1.1.1 version 4

Related commands

· sntp authentication enable

· sntp authentication-keyid

· sntp reliable authentication-keyid

11-Network Management and Monitoring Command Reference

display ntp-service ipv6 sessions

display ntp-service trace

ntp-service authentication enable

ntp-service authentication-keyid

ntp-service broadcast-server

ntp-service max-dynamic-sessions

ntp-service multicast-server

ntp-service reliable authentication-keyid

ntp-service unicast-peer

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us