To protect unused
sockets against attacks by malicious users and improve security, H3C S3100 series
Ethernet switches provide the following functions:
l
UDP port 123 is opened only when the NTP feature
is enabled.
l
UDP port 123 is closed as the NTP feature is
disabled.
These functions are
implemented as follows:
l
Execution of one of the ntp-service unicast-server,
ntp-service unicast-peer, ntp-service broadcast-client, ntp-service
broadcast-server, ntp-service multicast-client, and ntp-service
multicast-server commands enables the NTP feature and opens UDP port 123 at
the same time.
l
Execution of the undo form of one of the
above six commands disables all implementation modes of the NTP feature and
closes UDP port 123 at the same time.
1.1.1 display ntp-service sessions
Syntax
display ntp-service sessions [ verbose ]
View
Any view
Parameter
verbose: Displays
the detailed information about all the sessions maintained by the NTP service.
Without this keyword, the command displays the brief information about all the
sessions.
Description
Use the display ntp-service sessions
command to display the information about all the sessions maintained by local NTP
services.
Example
# View the brief
information of all sessions maintained by NTP services.
<Sysname>
display ntp-service sessions
source reference stra reach poll now offset delay disper
*************************************************************************
[12345]3.0.1.32 LOCL
1 95 64 42 -14.3 12.9 2.7
[25]3.0.1.31 127.127.1.0
2 1 64 1 4408.6 38.7 0.0
note: 1 source(master),2
source(peer),3 selected,4 candidate,5 configured
Total associations : 2
Table 1-1 Description
on the fields of the display ntp-service sessions command
|
Field
|
Description
|
|
source
|
IP address
of the synchronization source
|
|
reference
|
Reference clock ID of the synchronization
source
1)
If the reference clock is the local clock, the
value of this field is related to the value of the stra field:
l
When the value of the stra field is 0 or
1, this field will be “LOCL”;
l
When the stra field has another value, this
filed will be the IP address of the local clock.
2)
If the reference clock is the clock of another
switch on the network, the value of this field will be the IP address of that
switch.
|
|
stra
|
Stratum of the clock of the synchronization
source
|
|
reach
|
Reachability count of the clock source. 0
indicates that the clock source is unreachable
|
|
poll
|
Polling interval in seconds, that is, the
maximum interval between two successive messages
|
|
now
|
Time elapsing since the last NTP packet
is sent
|
|
offset
|
The offset of the system clock relative
to the reference clock, in milliseconds
|
|
delay
|
Network delay, that is, the roundtrip
delay from the local switch to the clock source, in milliseconds
|
|
disper
|
Maximum offset of the local clock relative
to the reference clock
|
|
[12345]
|
1: Clock source selected by the system,
namely the current reference source, with a system clock stratum level smaller than or equal to 15
2: Stratum level of this clock source is smaller than or equal to 15
3: This clock source has passed the clock
selection process
4: This clock source is a candidate clock
source
5: This clock source was created by a
configuration command
|
|
Total
associations
|
Total
number of associations
|
Caution:
An S3100 series switch does not establish a session with its client
when it works in the NTP server mode, but does so when it works in other NTP implementation
modes.
Syntax
display ntp-service status
View
Any view
Parameter
None
Description
Use the display ntp-service status
command to display the status of NTP services.
Example
# View the status of the NTP service of the
local switch.
<Sysname>
display ntp-service status
Clock status: synchronized
Clock stratum: 4
Reference clock ID: 1.1.1.11
Nominal frequency: 100.0000 Hz
Actual frequency: 100.0000 Hz
Clock precision: 2^18
Clock offset: 0.8174 ms
Root delay: 37.86 ms
Root dispersion: 45.98 ms
Peer dispersion: 35.78 ms
Reference time: 16:30:46.078 UTC Mar
29 2007(C9689FB6.1431593E)
Table 1-2 Description on the fields of the display ntp-service status
command
|
Field
|
Description
|
|
Clock
status
|
Status of the local clock:
l
Synchronized
l
Unsynchronized
|
|
Clock
stratum
|
Stratum of
the local clock
|
|
Reference
clock ID
|
Address of
the remote server or ID of the reference clock after the local clock is synchronized
to a remote NTP server or a reference clock
|
|
Nominal frequency
|
Nominal frequency of the local hardware clock,
in Hz.
|
|
Actual frequency
|
Actual frequency of the local hardware clock,
in Hz.
|
|
Clock precision
|
Precision of the local hardware clock
|
|
Clock offset
|
Offset of the local clock relative to the
reference clock, in milliseconds.
|
|
Root delay
|
Roundtrip delay between the local clock
and the primary reference clock source, in milliseconds.
|
|
Root dispersion
|
Maximum dispersion of the local clock relative
to the primary reference clock, in milliseconds.
|
|
Peer dispersion
|
Maximum dispersion of the remote NTP
server, in milliseconds.
|
|
Reference time
|
Reference timestamp
|
Syntax
display ntp-service trace
View
Any view
Parameter
None
Description
Use the display ntp-service trace
command to display the brief information of each NTP time server along the time
synchronization chain from the local switch to the reference clock source.
Example
# View the brief information of each NTP
time server along the time synchronization chain from the local switch to the
reference clock source.
<Sysname> display ntp-service
trace
server 127.0.0.1,stratum 3, offset
0.018739, synch distance 0.04724
server 172.1.2.3,stratum 2, offset
0.030714, synch distance 0.01094
refid LOCL
The above information displays the time
synchronization chain of server 127.0.0.1: server 172.0.0.1 is synchronized to
server 172.1.2.3, and server 172.1.2.3 is synchronized to the local clock
source.
Table 1-3
display ntp-service trace command output description
|
Field
|
Description
|
|
server
|
IP address of the NTP server
|
|
stratum
|
The stratum level of the corresponding
system clock
|
|
offset
|
The clock offset relative to the
upper-level clock, in milliseconds.
|
|
synch distance
|
The synchronization distance relative to
the upper-level clock, in seconds
|
|
refid
|
Identifier of the primary reference
source. When the stratum level of the primary
reference clock is 0, it is displayed as LOCL; otherwise, it is displayed as
the IP address of the primary reference clock.
|
Syntax
ntp-service access { peer | server | synchronization | query }
acl-number
undo ntp-service access { peer | server | synchronization | query
}
View
System view
Parameter
query: Control
query right. This level of right permits the peer device to perform control
query to the NTP service on the local device but does not permit the peer
device to synchronize its clock to the local device. The so-called
“control query” refers to query of state of the NTP service,
including alarm information, authentication status, clock source information,
and so on.
synchronization: Synchronization right. This level of right permits the peer device
to synchronize its clock to the local switch but does not permit the peer
device to perform control query.
server: Server
right. This level of right permits the peer device to perform synchronization
and control query to the local switch but does not permit the local switch to
synchronize its clock to the peer device.
peer: Peer right.
This level of right permits the peer device to perform synchronization and
control query to the local switch and also permits the local switch to
synchronize its clock to the peer device.
acl-number: Basic
access control list (ACL) number, in the range of 2000 to 2999.
Description
Use the ntp-service access command
to set the access control right from the remote device to the local NTP server.
Use the undo ntp-service access
command to remove the configured access control right to the local NTP server.
By default, the access control right from
the remote device to the local NTP server is peer.
NTP service access-control rights from the
highest to the lowest are peer, server, synchronization,
and query. When a local NTP server receives an NTP request, it will
perform an access-control right match and will use the first matched right.
The ntp-service access command only
provides a minimal degree of security measure. A more secure way is to perform
identity authentication.
Refer to the
ntp-service authentication enable command for related configuration.
Example
# Configure the access right from the
remote device in ACL 2076 to the local NTP server as peer.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] ntp-service access peer 2076
# Configure the access right from the
remote device in ACL 2028 to the local NTP server as server.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] ntp-service access server 2028
Syntax
ntp-service authentication enable
undo ntp-service authentication enable
View
System view
Parameter
None
Description
Use the ntp-service authentication
enable command to enable the NTP authentication.
Use the undo ntp-service authentication
enable command to disable the NTP authentication.
By default, the NTP authentication is
disabled.
Refer to the ntp-service reliable
authentication-keyid and ntp-service authentication-keyid commands
for related configuration.
Example
# Enable the NTP authentication.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] ntp-service authentication
enable
Syntax
ntp-service authentication-keyid key-id authentication-mode md5 value
undo ntp-service authentication-keyid key-id
View
System view
Parameter
key-id: Authentication
key ID, in the range of 1 to 4294967295.
value: Authentication
key, a string comprising 1 to 32 characters. Up to 1024 keys can be configured.
Description
Use the ntp-service authentication-keyid
command to configure an NTP authentication key.
Use the undo ntp-service
authentication-keyid command to remove an NTP authentication key.
By default, no NTP authentication key is
configured.
Currently, the system only supports the message
digest 5 (MD5) algorithm.
After configuring the NTP authentication
key, you need to use the ntp-service reliable authentication-keyid
command to specify the authentication key as a trusted key.
Related commands: ntp-service reliable
authentication-keyid.
Example
# Configure an MD5 authentication key, with
the key ID being 10 and the key being BetterKey.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] ntp-service
authentication-keyid 10 authentication-mode md5 BetterKey
Syntax
ntp-service broadcast-client
undo ntp-service broadcast-client
View
VLAN interface view
Parameter
None
Description
Use the ntp-service
broadcast-client command to configure an Ethernet switch to operate in the NTP
broadcast client mode and receive NTP broadcast messages through the current
interface.
Use the undo ntp-service
broadcast-client command to remove the configuration.
By default, no switch operates in the broadcast
client mode.
Example
# Configure the switch to operate in the
broadcast client mode and receive NTP broadcast messages through Vlan-interface1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Vlan-interface1
[Sysname-Vlan-interface1] ntp-service
broadcast-client
1.1.8 ntp-service broadcast-server
Syntax
ntp-service broadcast-server [
authentication-keyid key-id | version number ]*
undo ntp-service broadcast-server
View
VLAN interface view
Parameter
authentication-keyid key-id: Specifies the key ID used for sending
messages to broadcast clients. The key-id argument ranges from 1 to 4294967295.
You do not need to configure authentication-keyid key-id if
authentication is not required.
version
number: Specifies the NTP version number which ranges
from 1 to 3. The default version number is 3.
Description
Use the ntp-service broadcast-server
command to configure an Ethernet switch to operate in the NTP broadcast server
mode and send NTP broadcast messages through the current interface.
Use the undo ntp-service broadcast-server
command to remove the configuration.
By default, no Ethernet switch operates in
the NTP broadcast server mode.
Example
# Configure the switch to send NTP
broadcast messages through Vlan-interface1 and use authentication key 4 for
encryption, and set the NTP version number to 3.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ntp-service
broadcast-server authentication-key 4 version 3
Syntax
ntp-service in-interface disable
undo ntp-service in-interface disable
View
VLAN interface view
Parameter
None
Description
Use the ntp-service in-interface disable
command to disable the interface from receiving NTP messages.
Use the undo ntp-service in-interface
disable command to restore the default.
By default, the interface can receive NTP messages.
Example
# Disable Vlan-interface1 from receiving
NTP messages.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ntp-service
in-interface disable
Syntax
ntp-service max-dynamic-sessions number
undo ntp-service max-dynamic-sessions
View
System view
Parameter
number: Maximum number of the dynamic NTP sessions that can be established
locally. This argument ranges from 0 to 100.
Description
Use the ntp-service max-dynamic-sessions
command to set the maximum number of dynamic NTP sessions that can be
established locally.
Use the undo ntp-service
max-dynamic-sessions command to restore the default.
By default, up to 100 dynamic NTP sessions
can be established locally.
Example
# Set the maximum number of dynamic NTP
sessions that can be established locally to 50.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] ntp-service max-dynamic-sessions
50
Syntax
ntp-service multicast-client [ ip-address
]
undo ntp-service multicast-client [ ip-address
]
View
VLAN interface view
Parameter
ip-address:
Multicast IP address, in the range of 224.0.1.0 to 239.255.255.255. The default
IP address is 224.0.1.1.
Description
Use the ntp-service multicast-client
command to configure an Ethernet switch to operate in the NTP multicast client
mode and receive NTP multicast messages through the current interface.
Use the undo ntp-service
multicast-client command to remove the configuration.
By default, no Ethernet switch operates in the
NTP multicast client mode.
Example
# Configure the
switch to receive NTP multicast messages through Vlan-interface1, with the multicast
IP address being 224.0.1.2.
<Sysname>
system-view
System
View: return to User View with Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ntp-service
multicast-client 224.0.1.2
Syntax
ntp-service multicast-server
[ ip-address ] [ authentication-keyid key-id | ttl ttl-number
| version number ]*
undo ntp-service multicast-server [ ip-address
]
View
VLAN interface view
Parameter
ip-address: Multicast
IP address, in the range of 224.0.1.0 to 239.255.255.255. The default IP
address is 224.0.1.1.
authentication-keyid key-id: Specifies the key ID used for
sending messages to multicast clients. The key-id argument ranges from 1
to 4294967295.
ttl
ttl-number: Defines the lifetime of multicast messages.
The ttl-number argument ranges from 1 to 255 and defaults to 16.
version
number: Specifies the NTP version number which
ranges from 1 to 3 and defaults to 3.
Description
Use the ntp-service multicast-server
command to configure an Ethernet switch to operate in the NTP multicast server
mode and send NTP multicast messages through the current interface.
Use the undo ntp-service multicast-server
command to remove the configuration.
By default, no Ethernet switch operates in
multicast server mode.
Example
# Configure the switch to send NTP
multicast messages through Vlan-interface1, and set the multicast group address
to 224.0.1.2, keyid to 4, and the NTP version number to 2.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1]ntp-service
multicast-server 224.0.1.2
authentication-keyid 4 version 2
Syntax
ntp-service reliable authentication-keyid key-id
undo ntp-service reliable authentication-keyid
key-id
View
System view
Parameter
key-id: Authentication
key ID, in the range of 1 to 4294967295.
Description
Use the ntp-service reliable
authentication-keyid command to specify an authentication key as a trusted
key.
Use the undo ntp-service reliable
authentication-keyid command to remove the configuration.
By default, no trusted key is configured.
When NTP authentication is enabled, a
client can be synchronized only to a server that can provide a trusted
authentication key.
Related commands: ntp-service
authentication-keyid.
Example
# Enable NTP authentication. The encryption
algorithm is MD5, the key ID is 37, and the trusted key is abc.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] ntp-service authentication
enable
[Sysname] ntp-service
authentication-keyid 37 authentication-mode md5 abc
# Specify this key as a trusted key.
[Sysname] ntp-service reliable
authentication-keyid 37
Syntax
ntp-service source-interface Vlan-interface
vlan-id
undo ntp-service source-interface
View
System view
Parameter
vlan-interface
vlan-id: Specifies
an interface. The IP address of the interface serves as the source IP address of
sent NTP messages. The vlan-id argument indicates the ID of the
specified VLAN interface, ranging from 1 to 4094.
Description
Use the ntp-service source-interface
command to specify a VLAN interface through which NTP messages are to be sent.
Use the undo ntp-service
source-interface command to remove the configuration.
If you do not want the IP addresses of the other
interfaces on the local switch to be the destination addresses of response messages,
you can use this command to specify a specific interface to send all NTP packets.
In this way, the IP address of the interface is the source IP address of all
NTP messages sent by the local device.
Example
# Specify the source IP addresses of all sent
NTP messages as the IP address of Vlan-interface1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] ntp-service source-interface
Vlan-interface 1
1.1.15 ntp-service unicast-peer
Syntax
ntp-service unicast-peer
{ remote-ip | peer-name } [ authentication-keyid key-id
| priority | source-interface Vlan-interface vlan-id
| version number ]*
undo ntp-service
unicast-peer { remote-ip | peer-name }
View
System view
Parameter
remote-ip:
IP address of the NTP symmetric-passive peer. This argument can be a unicast
address only, and cannot be a broadcast address, a multicast address, or the IP
address of the local reference clock.
peer-name: Symmetric-passive
peer host name, a string comprising 1 to 20 characters.
authentication-keyid key-id: Specifies the key ID used for
sending messages to the peer. The key-id argument ranges from 1 to
4294967295. By default, authentication is not enabled.
priority:
Specifies the peer identified by the remote-ip argument as the preferred
peer for synchronization.
source-interface Vlan-interface vlan-id: Specifies an interface whose IP
address serves as the source IP address of NTP message sent to the peer. vlan-id
is the VLAN interface number.
version
number: Specifies the NTP version number. The version
number ranges from 1 to 3 and defaults to 3.
Description
Use the ntp-service unicast-peer
command to configure an Ethernet switch to operate in the symmetric-active peer
mode.
Use the undo ntp-service unicast-peer
command to remove the configuration.
By default, no NTP operate mode is
configured.
If you use remote-ip
or peer-name to specify a remote device as the peer of the local
Ethernet switch, the local switch operates in the symmetric-active peer mode.
In this case, the clock of local Ethernet switch and that of the remote device
can be synchronized to each other.
Example
# Configure the local switch to obtain time
information from the peer with the IP address 128.108.22.44 and also to provide
time information to the peer. Set the NTP version number to 3. The source IP
address of NTP messages is the IP address of Vlan- interface1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] ntp-service unicast-peer 128.108.22.44
version 3 source-interface Vlan-interface 1
Syntax
ntp-service unicast-server
{ remote-ip | server-name } [ authentication-keyid key-id
| priority | source-interface Vlan-interface vlan-id |
version number ]*
undo ntp-service unicast-server
{ remote-ip | server-name }
View
System view
Parameter
remote-ip:
IP address of an NTP server. This argument can be a unicast address only, and
cannot be a broadcast address, multicast group address, or IP address of the
local clock.
server-name:
NTP server name, a string comprising 1 to 20 characters.
authentication-keyid key-id: Specifies the key ID used for
sending messages to the NTP server. The key-id argument ranges from 1 to
4294967295. You do not need to configure authentication-keyid key-id
if authentication is not required.
priority: Specifies
the server identified by the remote-ip or the server-name argument
as the preferred server.
source-interface Vlan-interface vlan-id: Specifies an interface whose
IP address serves as the source IP address of NTP packets sent by the local switch
to the server.
version
number: Specifies the NTP version number. The number
argument ranges from 1 to 3 and defaults to 3.
Description
Use the ntp-service unicast-server
command to configure an Ethernet switch to operate in the NTP client mode.
Use the undo ntp-service unicast-server
command to remove the configuration.
By default, no
Ethernet switch operates in the NTP client mode.
The remote server
specified by remote-ip or server-name serves as the NTP server,
and the local switch serves as the NTP client. The clock of the NTP client will
be synchronized by but will not synchronize that of the NTP server.
Example
# Configure the local switch to be
synchronized to the NTP server with the IP address 128.108.22.44, and set the version
number to 3.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] ntp-service unicast-server
128.108.22.44 version 3
