Configuring NTP· 1

NTP overview·· 1

NTP applications 1

NTP advantages 1

How NTP works 1

NTP message format 2

NTP operation modes 4

NTP for multiple VPNs 6

NTP configuration task list 7

Configuring NTP operation modes 7

Configuring NTP client/server mode· 8

Configuring the NTP symmetric peers mode· 8

Configuring NTP broadcast mode· 9

Configuring NTP multicast mode· 10

Configuring the local clock as a reference source· 11

Configuring optional NTP parameters 11

Specifying the source interface for NTP messages 11

Disabling an interface from receiving NTP messages 12

Configuring the maximum number of dynamic sessions allowed· 12

Configuring access-control rights 12

Configuration prerequisites 13

Configuration procedure· 13

Configuring NTP authentication· 13

Configuring NTP authentication in client/server mode· 14

Configuring NTP authentication in symmetric peers mode· 15

Configuring NTP authentication in broadcast mode· 16

Configuring NTP authentication in multicast mode· 17

Displaying and maintaining NTP· 18

NTP configuration examples 18

Configuring NTP client/server mode· 19

Configuring the NTP symmetric mode· 20

Configuring NTP broadcast mode· 21

Configuring NTP multicast mode· 23

Configuring NTP client/server mode with authentication· 26

Configuring NTP broadcast mode with authentication· 27

Configuring MPLS VPN time synchronization in client/server mode· 30

Configuring MPLS VPN time synchronization in symmetric peers mode· 32

 

NTP overview

Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed time servers and clients. NTP runs over the User Datagram Protocol (UDP), using UDP port 123.

The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within a network so that the devices can provide diverse applications based on the consistent time.

The time of a local system that runs NTP can be synchronized to other reference sources and used as a reference source to synchronize other clocks.

NTP applications

An administrator is unable to keep time synchronized among all the devices within a network by changing the system clock on each station, because this is a huge workload and cannot guarantee clock precision. NTP, however, allows quick clock synchronization within the entire network and ensures a high clock precision.

NTP is used when all devices within the network must be consistent in timekeeping, for example:

·           In analysis of the log information and debugging information collected from different devices in network management, time must be used as reference basis.

·           All devices must use the same reference clock in a charging system.

·           To implement certain functions, such as scheduled restart of all devices within the network, all devices must be consistent in timekeeping.

·           When multiple systems process a complex event in cooperation, these systems must use the same reference clock to ensure the correct execution sequence.

·           For incremental backup between a backup server and clients, timekeeping must be synchronized between the backup server and all the clients.

NTP advantages

·           NTP uses a stratum to describe clock precision, and is able to synchronize time among all devices within the network.

·           NTP supports access control and MD5 authentication.

·           NTP can unicast, multicast or broadcast protocol messages.

How NTP works

Figure 1 shows the basic workflow of NTP. Device A and Device B are connected over a network. They have their own independent system clocks, which need to be automatically synchronized through NTP. Assume that:

·           Prior to system clock synchronization between Device A and Device B, the clock of Device A is set to 10:00:00 am while that of Device B is set to 11:00:00 am.

·           Device B is used as the NTP time server, namely, Device A synchronizes its clock to that of Device B.

·           It takes 1 second for an NTP message to travel from one device to the other.

Figure 1 Basic work flow of NTP

 

The process of system clock synchronization is as follows:

·           Device A sends Device B an NTP message, which is timestamped when it leaves Device A. The time stamp is 10:00:00 am (T1).

·           When this NTP message arrives at Device B, it is timestamped by Device B. The timestamp is 11:00:01 am (T2).

·           When the NTP message leaves Device B, Device B timestamps it. The timestamp is 11:00:02 am (T3).

·           When Device A receives the NTP message, the local time of Device A is 10:00:03 am (T4).

Up to now, Device A has sufficient information to calculate the following two important parameters:

·           The roundtrip delay of NTP message: Delay = (T4–T1) – (T3-T2) = 2 seconds.

·           Time difference between Device A and Device B: Offset = ((T2-T1) + (T3-T4))/2 = 1 hour.

Based on these parameters, Device A can synchronize its own clock to the clock of Device B.

This is only a rough description of the work mechanism of NTP. For more information, see RFC 1305.

NTP message format

NTP uses two types of messages: clock synchronization messages and NTP control messages. An NTP control message is used in environments where network management is needed. Because it is not essential for clock synchronization, it is not described in this document.

 

NOTE: All NTP messages mentioned in this document refer to NTP clock synchronization messages.

 

A clock synchronization message is encapsulated in a UDP message, in the format shown in Figure 2.

Figure 2 Clock synchronization message format

 

Main fields are described as follows:

·           LI (Leap Indicator)—A 2-bit leap indicator. When set to 11, it warns of an alarm condition (clock unsynchronized); when set to any other value, it is not to be processed by NTP.

·           VN (Version Number)—A 3-bit version number that indicates the version of NTP. The latest version is version 3.

·           Mode—A 3-bit code that indicates the work mode of NTP. This field can be set to these values:

¡  0—reserved

¡  1—symmetric active

¡  2—symmetric passive

¡  3—client

¡  4—server

¡  5—broadcast or multicast

¡  6—NTP control message

¡  7—reserved for private use.

·           Stratum—An 8-bit integer that indicates the stratum level of the local clock, with the value ranging from 1 to 16. Clock precision decreases from stratum 1 through stratum 16. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized and cannot be used as a reference clock.

·           Poll—An 8-bit signed integer that indicates the maximum interval between successive messages, which is called the poll interval.

·           Precision—An 8-bit signed integer that indicates the precision of the local clock.

·           Root Delay—Roundtrip delay to the primary reference source.

·           Root Dispersion—The maximum error of the local clock relative to the primary reference source.

·           Reference Identifier—Identifier of the particular reference source.

·           Reference Timestamp—The local time at which the local clock was last set or corrected.

·           Originate Timestamp—The local time at which the request departed from the client for the service host.

·           Receive Timestamp—The local time at which the request arrived at the service host.

·           Transmit Timestamp—The local time at which the reply departed from the service host for the client.

·           Authenticator—Authentication information.

NTP operation modes

Devices that run NTP can implement clock synchronization in one of the following modes:

·           Client/server mode

·           Symmetric peers mode

·           Broadcast mode

·           Multicast mode

You can select operation modes of NTP as needed. If the IP address of the NTP server or peer is unknown and many devices in the network need to be synchronized, you can adopt the broadcast or multicast mode; while in the client/server and symmetric peers modes, a device is synchronized from the specified server or peer, so clock reliability is enhanced.

Client/server mode

Figure 3 Client/server mode

 

When working in client/server mode, a client sends a clock synchronization message to servers, with the Mode field in the message set to 3 (client mode). Upon receiving the message, the servers automatically work in server mode and send a reply, with the Mode field in the messages set to 4 (server mode). Upon receiving the replies from the servers, the client performs clock filtering and selection, and synchronizes its local clock to that of the optimal reference source.

In client/server mode, a client can be synchronized to a server, but a server cannot be synchronized to a client.

Symmetric peers mode

Figure 4 Symmetric peers mode

 

In symmetric peers mode, devices that work in symmetric active mode and symmetric passive mode exchange NTP messages with the Mode field 3 (client mode) and 4 (server mode). Then the device that works in symmetric active mode periodically sends clock synchronization messages, with the Mode field in the messages set to 1 (symmetric active). The device that receives the messages automatically enters symmetric passive mode and sends a reply, with the Mode field in the message set to 2 (symmetric passive). This exchange of messages establishes symmetric peers mode between the two devices, so the two devices can synchronize, or be synchronized by, each other. If the clocks of both devices have been synchronized, the device whose local clock has a lower stratum level synchronizes the clock of the other device.

Broadcast mode

Figure 5 Broadcast mode

 

In broadcast mode, a server periodically sends clock synchronization messages to broadcast address 255.255.255.255, with the Mode field in the messages set to 5 (broadcast mode). Clients listen to the broadcast messages from servers. When a client receives the first broadcast message, the client and the server start to exchange messages with the Mode field set to 3 (client mode) and 4 (server mode), to calculate the network delay between client and the server. Then, the client enters broadcast client mode. The client continues listening to broadcast messages, and synchronizes its local clock based on the received broadcast messages.

Multicast mode

Figure 6 Multicast mode

 

In multicast mode, a server periodically sends clock synchronization messages to the user-configured multicast address, or, if no multicast address is configured, to the default NTP multicast address 224.0.1.1, with the Mode field in the messages set to 5 (multicast mode). Clients listen to the multicast messages from servers. When a client receives the first multicast message, the client and the server start to exchange messages with the Mode field set to 3 (client mode) and 4 (server mode), to calculate the network delay between client and server. Then, the client enters multicast client mode. It continues listening to multicast messages, and synchronizes its local clock based on the received multicast messages.

 

NOTE: In symmetric peers mode, broadcast mode and multicast mode, the client (or the symmetric active peer) and the server (the symmetric passive peer) can work in the specified NTP working mode only after they exchange NTP messages with the Mode field being 3 (client mode) and the Mode field being 4 (server mode). During this message exchange process, NTP clock synchronization can be implemented.

 

NTP for multiple VPNs

The device supports multiple VPNs when it functions as an NTP client or a symmetric active peer to realize clock synchronization with the NTP server or symmetric passive peer in an MPLS VPN network.

As shown in Figure 7, users in VPN 1 and VPN 2 are connected to the MPLS backbone network through provider edge (PE) devices, and services of the two VPNs are isolated. If you configure the PEs to work in NTP client or symmetric active mode, and specify the VPN to which the NTP server or NTP symmetric passive peer belongs, the clock synchronization between PEs and CEs of the two VPNs can be realized.

Figure 7 Network diagram

 

NOTE: For more information about MPLS L3VPN, VPN instance, and PE, see MPLS Configuration Guide.

 

NTP configuration task list

Complete the following tasks to configure NTP:

 

Task	Remarks
.Configuring NTP operation modes	Required
.Configuring the local clock as a reference source	Optional
.Configuring optional NTP parameters	Optional
.Configuring access-control rights	Optional
.Configuring NTP authentication	Optional

 

Configuring NTP operation modes

Devices can implement clock synchronization in one of the following modes:

·           Client/server mode

·           Symmetric mode

·           Broadcast mode

·           Multicast mode

For client/server mode or symmetric mode, you need to configure only clients or symmetric-active peers; for broadcast or multicast mode, you need to configure both servers and clients.

 

NOTE: A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations. ·       A static association refers to an association that a user has manually created by using an NTP command. ·       A dynamic association is a temporary association created by the system during operation. A dynamic association is removed if the system fails to receive messages from it over a specific long time. In client/server mode, for example, when you execute a command to synchronize the time to a server, the system creates a static association, and the server simply responds passively upon the receipt of a message, rather than creating an association (static or dynamic). In symmetric mode, static associations are created at the symmetric-active peer side, and dynamic associations are created at the symmetric-passive peer side. In broadcast or multicast mode, static associations are created at the server side, and dynamic associations are created at the client side.

 

Configuring NTP client/server mode

For devices working in client/server mode, make the following configurations on the clients.

To specify an NTP server on the client:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Specify an NTP server for the device.	ntp-service unicast-server [ vpn-instance vpn-instance-name ] { ip-address | server-name } [ authentication-keyid keyid | priority | source-interface interface-type interface-number | version number ] *	No NTP server is specified by default.

 

NOTE: ·       In the ntp-service unicast-server command, ip-address must be a unicast address, rather than a broadcast address, a multicast address or the IP address of the local clock. ·       When the source interface for NTP messages is specified by the source-interface argument, the source IP address of the NTP messages is configured as the primary IP address of the specified interface. ·       A device can act as a server to synchronize the clock of other devices only after its clock has been synchronized. If the clock of a server has a stratum level higher than or equal to that of a client’s clock, the client will not synchronize its clock to that server’s clock. ·       You can configure multiple servers by repeating the ntp-service unicast-server command. The clients will select the optimal reference source.

 

Configuring the NTP symmetric peers mode

For devices working in symmetric mode, specify a symmetric-passive peer on a symmetric-active peer.

To specify a symmetric-passive peer:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Specify a symmetric-passive peer for the device.	ntp-service unicast-peer [ vpn-instance vpn-instance-name ] { ip-address | peer-name } [ authentication-keyid keyid | priority | source-interface interface-type interface-number | version number ] *	No symmetric-passive peer is specified by default.

 

NOTE: ·       In symmetric mode, use the ntp-service refclock-master command or any NTP configuration command in Configuring NTP operation modes to enable NTP; otherwise, a symmetric-passive peer will not process NTP messages from a symmetric-active peer. ·       In the ntp-service unicast-peer command, ip-address must be a unicast address, rather than a broadcast address, a multicast address or the IP address of the local clock. ·       When the source interface for NTP messages is specified by the source-interface argument, the source IP address of the NTP messages is configured as the primary IP address of the specified interface. ·       Typically, at least one of the symmetric-active and symmetric-passive peers has been synchronized; otherwise the clock synchronization will not proceed. ·       You can configure multiple symmetric-passive peers by repeating the ntp-service unicast-peer command.

 

Configuring NTP broadcast mode

The broadcast server periodically sends NTP broadcast messages to the broadcast address 255.255.255.255. After receiving the messages, the device working in NTP broadcast client mode sends a reply and synchronizes its local clock.

For devices working in broadcast mode, configure both the server and clients. Because an interface needs to be specified on the broadcast server for sending NTP broadcast messages and an interface also needs to be specified on each broadcast client for receiving broadcast messages, the NTP broadcast mode can be configured only in the specific interface view.

 

NOTE: Tunnel interfaces do not support NTP broadcast mode. For more information about tunnel interfaces, see Layer 3—IP Services Configuration Guide.

 

Configuring a broadcast client

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enter interface view.	interface interface-type interface-number	Enter the interface used to receive NTP broadcast messages.
3.      Configure the device to work in NTP broadcast client mode.	ntp-service broadcast-client	N/A

 

Configuring the broadcast server

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enter interface view.	interface interface-type interface-number	Enter the interface used to send NTP broadcast messages.
3.      Configure the device to work in NTP broadcast server mode.	ntp-service broadcast-server [ authentication-keyid keyid | version number ] *	N/A

 

NOTE: A broadcast server can synchronize broadcast clients only when its clock has been synchronized.

 

Configuring NTP multicast mode

The multicast server periodically sends NTP multicast messages to multicast clients, which send replies after receiving the messages and synchronize their local clocks.

For devices working in multicast mode, configure both the server and clients. The NTP multicast mode must be configured in the specific interface view.

 

NOTE: Tunnel interfaces do not support NTP multicast mode. For more information about tunnel interfaces, see Layer 3—IP Services Configuration Guide.

 

Configuring a multicast client

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enter interface view.	interface interface-type interface-number	Enter the interface used to receive NTP multicast messages.
3.      Configure the device to work in NTP multicast client mode.	ntp-service multicast-client [ ip-address ]	N/A

 

Configuring the multicast server

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enter interface view.	interface interface-type interface-number	Enter the interface used to send NTP multicast message.
3.      Configure the device to work in NTP multicast server mode.	ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | ttl ttl-number | version number ] *	N/A

 

NOTE: ·       A multicast server can synchronize broadcast clients only when its clock has been synchronized. ·       You can configure up to 1024 multicast clients, among which 128 can take effect at the same time.

 

Configuring the local clock as a reference source

A network device can get its clock synchronized in either of the following two ways:

·           Synchronized to the local clock, which works as the reference source.

·           Synchronized to another device on the network in any of the four NTP operation modes previously described.

If you configure two synchronization modes, the device selects the optimal clock as the reference source.

To configure the local clock as a reference source:

 

Step	Command
1.      Enter system view.	system-view
2.      Configure the local clock as a reference source.	ntp-service refclock-master [ ip-address ] [ stratum ]

 

NOTE: ·       Typically, the stratum level of the NTP server which is synchronized from an authoritative clock (such as an atomic clock) is set to 1. This NTP server operates as the primary reference source on the network; and other devices synchronize themselves to it. The synchronization distances between the primary reference source and other devices on the network, namely, the number of NTP servers on the NTP synchronization paths, determine the clock stratum levels of the devices. ·       If you have configured the local clock as a reference clock, the local device can act as a reference clock to synchronize other devices in the network. Perform this configuration with caution to avoid clock errors of the devices in the network.

 

Configuring optional NTP parameters

Specifying the source interface for NTP messages

If you specify the source interface for NTP messages, the device sets the source IP address of the NTP messages as the primary IP address of the specified interface when sending the NTP messages.

When the device responds to an NTP request received, the source IP address of the NTP response is always the IP address of the interface that received the NTP request.

To specify the source interface for NTP messages:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Specify the source interface for NTP messages.	ntp-service source-interface interface-type interface-number	By default, no source interface is specified for NTP messages.

 

CAUTION: ·       If you have specified the source interface for NTP messages in the ntp-service unicast-server or ntp-service unicast-peer command, the interface specified in the ntp-service unicast-server or ntp-service unicast-peer command serves as the source interface of NTP messages. ·       If you have configured the ntp-service broadcast-server or ntp-service multicast-server command, the source interface of the broadcast or multicast NTP messages is the interface configured with the respective command. ·       If the specified source interface for NTP messages is down, the source IP address for an NTP message that is sent out is the primary IP address of the outgoing interface of the NTP message.

 

Disabling an interface from receiving NTP messages

When NTP is enabled, NTP messages can be received from all the interfaces by default, and you can disable an interface from receiving NTP messages through the following configuration.

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enter interface view.	interface interface-type interface-number	N/A
3.      Disable the interface from receiving NTP messages.	ntp-service in-interface disable	An interface is enabled to receive NTP messages by default.

 

Configuring the maximum number of dynamic sessions allowed

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Configure the maximum number of dynamic sessions allowed to be established locally.	ntp-service max-dynamic-sessions number	100 by default

 

Configuring access-control rights

With the following command, you can configure the NTP service access-control right to the local device. There are four access-control rights, as follows:

·           query—Control query permitted. This level of right permits the peer devices to perform control query to the NTP service on the local device but does not permit a peer device to synchronize its clock to that of the local device. The so-called “control query” refers to query of some states of the NTP service, including alarm information, authentication status, clock source information, and so on.

·           synchronization—Server access only. This level of right permits a peer device to synchronize its clock to that of the local device but does not permit the peer devices to perform control query.

·           server—Server access and query permitted. This level of right permits the peer devices to perform synchronization and control query to the local device but does not permit the local device to synchronize its clock to that of a peer device.

·           peer—Full access. This level of right permits the peer devices to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to that of a peer device.

From the highest NTP service access-control right to the lowest one are peer, server, synchronization, and query. When a switch receives an NTP request, it performs an access-control right match and uses the first matched right. If no matched right is found, the switch drops the NTP request.

Configuration prerequisites

Prior to configuring the NTP service access-control right to the local device, create and configure an ACL associated with the access-control right. For more information about ACLs, see ACL and QoS Configuration Guide.

Configuration procedure

To configure the NTP service access-control right to the local device:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Configure the NTP service access-control right for a remote device to access the local device.	ntp-service access { peer | query | server | synchronization } acl-number	peer by default

 

NOTE: The access-control right mechanism provides only a minimum level of security protection for a system running NTP. A more secure method is identity authentication.

 

Configuring NTP authentication

The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication.

NTP authentication configuration includes the following tasks:

·           Enable NTP authentication

·           Configure an authentication key

·           Configure the key as a trusted key

·           Associate the specified key with an NTP server or a symmetric peer

The above tasks are required. If any task is missed, the NTP authentication cannot function.

Configuring NTP authentication in client/server mode

When you configure NTP authentication in client/server mode, you need to configure the required tasks on both the client and server, and associate the key with the NTP server on the client.

·           If NTP authentication is not enabled or no key is associated with the NTP server on the client, no NTP authentication is performed when the client synchronizes its clock to the server. No matter NTP authentication is enabled on the server or not, the clock synchronization between the server and client can be performed.

·           If NTP authentication is enabled and a key is associated with the NTP server on the client, but the key is a trusted key, no matter NTP authentication is enabled on the server or not, the client does not synchronize its clock to the server.

Configuring NTP authentication for a client

To configure NTP authentication for a client:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enable NTP authentication.	ntp-service authentication enable	Disabled by default
3.      Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 value	No NTP authentication key by default
4.      Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	No authentication key is configured to be trusted by default
5.      Associate the specified key with an NTP server.	ntp-service unicast-server { ip-address | server-name } authentication-keyid keyid	You can associate a non-existing key with an NTP server. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the NTP server.

 

NOTE: After you enable the NTP authentication feature for the client, make sure that you configure for the client an authentication key that is the same as on the server and specify that the authentication key is trusted.

 

Configuring NTP authentication for a server

To configure NTP authentication for a server:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enable NTP authentication.	ntp-service authentication enable	Disabled by default
3.      Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 value	No NTP authentication key by default
4.      Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	No authentication key is configured to be trusted by default

 

NOTE: The same authentication key must be configured on both the server and client sides.

 

Configuring NTP authentication in symmetric peers mode

When you configure NTP authentication in symmetric peers mode, configure the required tasks on both the active and passive peers, and on the active peer associate the key with the passive peer.

1.       When the active peer has a greater stratum level than the passive peer:

¡  If NTP authentication is not enabled or no key is associated with the passive peer on the active peer, the active peer synchronizes its clock to the passive peer as long as NTP authentication is disabled on the passive peer.

¡  If NTP authentication is enabled and a key is associated with the passive peer on the active peer, but the key is not a trusted key, no matter the NTP authentication is enabled on the passive peer or not, the active peer does not synchronize its clock to the passive peer.

2.       When the active peer has a smaller stratum level than the passive peer:

If NTP authentication is not enabled, no key is associated with the passive peer on the active peer, or the key is not a trusted key, the clock of the active peer can be synchronized to the passive peer as long as NTP authentication is disabled on the passive peer.

Configuring NTP authentication for an active peer

To configure NTP authentication for an active peer:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enable NTP authentication.	ntp-service authentication enable	Disabled by default
3.      Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 value	No NTP authentication key is configured by default.
4.      Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	No authentication key is configured to be trusted by default
5.      Associate the specified key with the passive peer.	ntp-service unicast-peer { ip-address | peer-name } authentication-keyid keyid	You can associate a non-existing key with a passive peer. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the passive peer.

 

NOTE: After you enable the NTP authentication feature for the active peer, make sure that you configure for the active peer an authentication key that is the same as on the passive peer and specify that the authentication key is trusted.

 

Configuring NTP authentication for a passive peer

To configure NTP authentication for a passive peer:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enable NTP authentication.	ntp-service authentication enable	Disabled by default
3.      Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 value	No NTP authentication key is configured by default.
4.      Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	No authentication key is configured to be trusted by default

 

NOTE: The same authentication key must be configured on both the active and passive peers.

 

Configuring NTP authentication in broadcast mode

·           When you configure NTP authentication in broadcast mode, configure the required tasks on both the broadcast client and broadcast server, and associate the key with the broadcast server on the server.If NTP authentication is enabled on the client, an authentication key is specified, and the key is a trusted key, the clock of the broadcast client can synchronize to the broadcast server only when NTP authentication is enabled on the server, an authentication key is specified, the key is a trusted key, and the key is associated with the broadcast server.

·           If NTP authentication is not enabled on the client, the clock of the broadcast client can synchronize to the broadcast server no matter whether NTP authentication is enabled on the server.

Configuring NTP authentication for a broadcast client

To configure NTP authentication for a broadcast client:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enable NTP authentication.	ntp-service authentication enable	Disabled by default.
3.      Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 value	No NTP authentication key is configured by default.
4.      Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	No authentication key is configured to be trusted by default.

 

NOTE: After you enable the NTP authentication feature for the broadcast client, make sure that you configure for the client an authentication key that is the same as on the broadcast server and specify that the authentication key is trusted.

 

Configuring NTP authentication for a broadcast server

To configure NTP authentication for a broadcast server:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enable NTP authentication.	ntp-service authentication enable	Disabled by default.
3.      Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 value	No NTP authentication key is configured by default.
4.      Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	No authentication key is configured to be trusted by default
5.      Enter interface view.	interface interface-type interface-number	N/A
6.      Associate the specified key with the broadcast server.	ntp-service broadcast-server authentication-keyid keyid	You can associate a non-existing key with the broadcast server. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the broadcast server.

 

NOTE: The same authentication key must be configured on both the broadcast server and broadcast client sides.

 

Configuring NTP authentication in multicast mode

When you configure NTP authentication in multicast mode, configure the required tasks on both the multicast client and multicast server, and associate the key with the multicast server on the server.

·           If NTP authentication is enabled on the client, an authentication key is specified, and the key is a trusted key, the clock of the multicast client can synchronize to the multicast server only when NTP authentication is enabled on the server, an authentication key is specified, the key is a trusted key, and the key is associated with the multicast server.

·           If NTP authentication is not enabled on the client, the clock of the multicast client can synchronize to the multicast server no matter whether NTP authentication is enabled on the server.

Configuring NTP authentication for a multicast client

To configure NTP authentication for a multicast client:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enable NTP authentication.	ntp-service authentication enable	Disabled by default.
3.      Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 value	No NTP authentication key is configured by default.
4.      Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	No authentication key is configured to be trusted by default.

 

NOTE: After you enable the NTP authentication feature for the multicast client, make sure that you configure for the client an authentication key that is the same as on the multicast server and specify that the authentication key is trusted.

 

Configuring NTP authentication for a multicast server

To configure NTP authentication for a multicast server:

 

Step	Command	Remarks
1.      Enter system view.	system-view	N/A
2.      Enable NTP authentication.	ntp-service authentication enable	Disabled by default.
3.      Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 value	No NTP authentication key is configured by default.
4.      Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	No authentication key is configured to be trusted by default.
5.      Enter interface view.	interface interface-type interface-number	N/A
6.      Associate the specified key with the multicast server.	ntp-service multicast-server authentication-keyid keyid	You can associate a non-existing key with the multicast server. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the multicast server.

 

NOTE: The same authentication key must be configured on both the multicast server and multicast client sides.

 

Displaying and maintaining NTP

 

Task	Command	Remarks
Display information about NTP service status.	display ntp-service status [ | { begin | exclude | include } regular-expression ]	Available in any view
Display information about NTP sessions.	display ntp-service sessions [ verbose ] [ | { begin | exclude | include } regular-expression ]	Available in any view
Display the brief information about the NTP servers from the local device back to the primary reference source.	display ntp-service trace [ | { begin | exclude | include } regular-expression ]	Available in any view

 

NTP configuration examples

 

NOTE: By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command.

 

Configuring NTP client/server mode

Network requirements

Perform the following configurations to synchronize the time between Device B and Device A:

·           As shown in Figure 8, the local clock of Device A is to be used as a reference source, with the stratum level of 2.

·           Device B works in client/server mode and Device A is to be used as the NTP server of Device B.

Figure 8 Network diagram

 

Configuration procedure

1.       Set the IP address for each interface as shown in Figure 8. The configuration procedure is omitted.

2.       Configure Device A:

# Specify the local clock as the reference source, with the stratum level of 2.

<DeviceA> system-view

[DeviceA] ntp-service refclock-master 2

3.       Configure Device B:

# View the NTP status of Device B before clock synchronization.

<DeviceB> display ntp-service status

 Clock status: unsynchronized

 Clock stratum: 16

 Reference clock ID: none

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 0.00 ms

 Root dispersion: 0.00 ms

 Peer dispersion: 0.00 ms

 Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000)

# Specify Device A as the NTP server of Device B so that Device B is synchronized to Device A.

<DeviceB> system-view

[DeviceB] ntp-service unicast-server 1.0.1.11

# View the NTP status of Device B after clock synchronization.

[DeviceB] display ntp-service status

 Clock status: synchronized

 Clock stratum: 3

 Reference clock ID: 1.0.1.11

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 1.05 ms

 Peer dispersion: 7.81 ms

 Reference time: 14:53:27.371 UTC Sep 19 2005 (C6D94F67.5EF9DB22)

The output shows that Device B has been synchronized to Device A, and the clock stratum level of Device B is 3, while that of Device A is 2.

# View the NTP session information of Device B, which shows that an association has been set up between Device B and Device A.

[DeviceB] display ntp-service sessions

      source      reference   stra  reach  poll  now  offset  delay  disper

**************************************************************************

[12345] 1.0.1.11  127.127.1.0    2    63    64    3    -75.5    31.0  16.5

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

Configuring the NTP symmetric mode

Network requirements

Perform the following configurations to synchronize time among devices:

·           As shown in Figure 9, the local clock of Device A is to be configured as a reference source, with the stratum level of 2.

·           The local clock of Device C is to be configured as a reference source, with the stratum level of 1.

·           Device B works in client mode and Device A is to be used as the NTP server of Device B.

·           Device C works in symmetric-active mode and Device B acts as the peer of Device C.

Figure 9 Network diagram

 

Configuration procedure

1.       Set the IP address for each interface as shown in Figure 9. The configuration procedure is omitted.

2.       Configure Device A:

# Specify the local clock as the reference source, with the stratum level of 2.

<DeviceA> system-view

[DeviceA] ntp-service refclock-master 2

3.       Configure Device B:

# Specify Device A as the NTP server of Device B.

<DeviceB> system-view

[DeviceB] ntp-service unicast-server 3.0.1.31

4.       Configure Device C (after Device B is synchronized to Device A):

# Specify the local clock as the reference source, with the stratum level of 1.

<DeviceC> system-view

[DeviceC] ntp-service refclock-master 1

# Configure Device B as a symmetric peer after local synchronization.

[DeviceC] ntp-service unicast-peer 3.0.1.32

In the step above, Device B and Device C are configured as symmetric peers, with Device C in the symmetric-active mode and Device B in the symmetric-passive mode. Because the stratus level of Device C is 1 while that of Device B is 3, Device B is synchronized to Device C.

# View the NTP status of Device B after clock synchronization.

[DeviceB] display ntp-service status

 Clock status: synchronized

 Clock stratum: 2

 Reference clock ID: 3.0.1.33

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: -21.1982 ms

 Root delay: 15.00 ms

 Root dispersion: 775.15 ms

 Peer dispersion: 34.29 ms

 Reference time: 15:22:47.083 UTC Sep 19 2005 (C6D95647.153F7CED)

The output shows that Device B has been synchronized to Device C, and the clock stratum level of Device B is 2, while that of Device C is 1.

# View the NTP session information of Device B, which shows that an association has been set up between Device B and Device C.

[DeviceB] display ntp-service sessions

       source     reference   stra  reach  poll  now   offset delay  disper

**************************************************************************

[245] 3.0.1.31  127.127.1.0    2    15    64   24   10535.0  19.6   14.5

[1234] 3.0.1.33   LOCL          1    14    64   27    -77.0   16.0   14.8

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  2

Configuring NTP broadcast mode

Network requirements

As shown in Figure 10, Switch C functions as the NTP server for multiple devices on a network segment and synchronizes the time among multiple devices.

·           Switch C’s local clock is to be used as a reference source, with the stratum level of 2.

·           Switch C works in broadcast server mode and sends out broadcast messages from VLAN-interface 2.

·           Switch A and Switch B work in broadcast client mode, and listen to broadcast messages through their VLAN-interface 2 respectively.

Figure 10 Network diagram

 

Configuration procedure

1.       Set the IP address for each interface as shown in Figure 10. The configuration procedure is omitted.

2.       Configure Switch C:

# Specify the local clock as the reference source, with the stratum level of 2.

<SwitchC> system-view

[SwitchC] ntp-service refclock-master 2

# Configure Switch C to work in broadcast server mode and send broadcast messages through VLAN-interface 2.

[SwitchC] interface vlan-interface 2

[SwitchC-Vlan-interface2] ntp-service broadcast-server

3.       Configure Switch A:

# Configure Switch A to work in broadcast client mode and receive broadcast messages on VLAN-interface 2.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ntp-service broadcast-client

4.       Configure Switch B:

# Configure Switch B to work in broadcast client mode and receive broadcast messages on VLAN-interface 3.

<SwitchB> system-view

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ntp-service broadcast-client

Switch A and Switch B get synchronized upon receiving a broadcast message from Switch C.

# Take Switch A as an example. View the NTP status of Switch A after clock synchronization.

[SwitchA-Vlan-interface2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 3

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 8.31 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

The output shows that Switch A has been synchronized to Switch C, and the clock stratum level of Switch A is 3, while that of Switch C is 2.

# View the NTP session information of Switch A, which shows that an association has been set up between Switch A and Switch C.

[SwitchA-Vlan-interface2] display ntp-service sessions

      source    reference    stra  reach  poll  now    offset delay  disper

**************************************************************************

[1234] 3.0.1.31  127.127.1.0   2   254     64    62   -16.0    32.0   16.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

Configuring NTP multicast mode

Network requirements

As shown in Figure 11, Switch C functions as the NTP server for multiple devices on different network segments and synchronizes the time among multiple devices.

·           Switch C’s local clock is to be used as a reference source, with the stratum level of 2.

·           Switch C works in multicast server mode and sends out multicast messages from VLAN-interface 2.

·           Switch A and Switch D work in multicast client mode and receive multicast messages through VLAN-interface 3 and VLAN-interface 2 respectively.

Figure 11 Network diagram

 

Configuration procedure

1.       Set the IP address for each interface as shown in Figure 11. The configuration procedure is omitted.

2.       Configure Switch C:

# Specify the local clock as the reference source, with the stratum level of 2.

<SwitchC> system-view

[SwitchC] ntp-service refclock-master 2

# Configure Switch C to work in multicast server mode and send multicast messages through VLAN-interface 2.

[SwitchC] interface vlan-interface 2

[SwitchC-Vlan-interface2] ntp-service multicast-server

3.       Configure Switch D:

# Configure Switch D to work in multicast client mode and receive multicast messages on VLAN-interface 2.

<SwitchD> system-view

[SwitchD] interface vlan-interface 2

[SwitchD-Vlan-interface2] ntp-service multicast-client

Because Switch D and Switch C are on the same subnet, Switch D can receive the multicast messages from Switch C without being enabled with the multicast functions and can be synchronized to Switch C.

# View the NTP status of Switch D after clock synchronization.

[SwitchD-Vlan-interface2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 3

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 8.31 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

The output shows that Switch D has been synchronized to Switch C, and the clock stratum level of Switch D is 3, while that of Switch C is 2.

# View the NTP session information of Switch D, which shows that an association has been set up between Switch D and Switch C.

[SwitchD-Vlan-interface2] display ntp-service sessions

      source    reference    stra  reach  poll  now    offset delay  disper

**************************************************************************

[1234] 3.0.1.31  127.127.1.0   2   254     64    62   -16.0    31.0   16.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

4.       Configure Switch B:

Because Switch A and Switch C are on different subnets, you must enable the multicast functions on Switch B before Switch A can receive multicast messages from Switch C.

# Enable IP multicast routing and IGMP.

<SwitchB> system-view

[SwitchB] multicast routing-enable

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] pim dm

[SwitchB-Vlan-interface2] quit

[SwitchB] vlan 3

[SwitchB-vlan3] port GigabitEthernet 3/0/1

[SwitchB-vlan3] quit

[SwitchB] interface vlan-interface 3

[SwitchB-Vlan-interface3] igmp enable

[SwitchB-Vlan-interface3] igmp static-group 224.0.1.1

[SwitchB-Vlan-interface3] quit

[SwitchB] interface GigabitEthernet 3/0/1

[SwitchB-GigabitEthernet3/0/1] igmp-snooping static-group 224.0.1.1 vlan 3

5.       Configure Switch A:

<SwitchA> system-view

[SwitchA] interface vlan-interface 3

# Configure Switch A to work in multicast client mode and receive multicast messages on VLAN-interface 3.

[SwitchA-Vlan-interface3] ntp-service multicast-client

# View the NTP status of Switch A after clock synchronization.

[SwitchA-Vlan-interface3] display ntp-service status

 Clock status: synchronized

 Clock stratum: 3

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 40.00 ms

 Root dispersion: 10.83 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:02:49.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

The output shows that Switch A has been synchronized to Switch C, and the clock stratum level of Switch A is 3, while that of Switch C is 2.

# View the NTP session information of Switch A, which shows that an association has been set up between Switch A and Switch C.

[SwitchA-Vlan-interface3] display ntp-service sessions

      source    reference    stra  reach  poll  now    offset delay  disper

**************************************************************************

[1234] 3.0.1.31  127.127.1.0    2   255     64    26   -16.0    40.0   16.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

 

NOTE: For more information about how to configure IGMP and PIM, see IP Multicast Configuration Guide.

 

Configuring NTP client/server mode with authentication

Network requirements

As shown in Figure 12, perform the following configurations to synchronize the time between Device B and Device A and ensure network security.

·           The local clock of Device A is to be configured as a reference source, with the stratum level of 2.

·           Device B works in client mode and Device A is to be used as the NTP server of Device B, with Device B as the client.

·           NTP authentication is to be enabled on both Device A and Device B.

Figure 12 Network diagram

 

Configuration procedure

1.       Set the IP address for each interface as shown in Figure 12. The configuration procedure is omitted.

2.       Configure Device A:

# Specify the local clock as the reference source, with the stratum level of 2.

<DeviceA> system-view

[DeviceA] ntp-service refclock-master 2

3.       Configure Device B:

<DeviceB> system-view

# Enable NTP authentication on Device B.

[DeviceB] ntp-service authentication enable

# Set an authentication key.

[DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey

# Specify the key as a trusted key.

[DeviceB] ntp-service reliable authentication-keyid 42

# Specify Device A as the NTP server of Device B.

[DeviceB] ntp-service unicast-server 1.0.1.11 authentication-keyid 42

Before Device B can synchronize its clock to that of Device A, enable NTP authentication for Device A.

Perform the following configuration on Device A:

# Enable NTP authentication.

[DeviceA] ntp-service authentication enable

# Set an authentication key.

[DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey

# Specify the key as a trusted key.

[DeviceA] ntp-service reliable authentication-keyid 42

# View the NTP status of Device B after clock synchronization.

[DeviceB] display ntp-service status

 Clock status: synchronized

 Clock stratum: 3

 Reference clock ID: 1.0.1.11

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 1.05 ms

 Peer dispersion: 7.81 ms

 Reference time: 14:53:27.371 UTC Sep 19 2005 (C6D94F67.5EF9DB22)

The output shows Device B has been synchronized to Device A, and the clock stratum level of Device B is 3, while that of Device A is 2.

# View the NTP session information of Device B, which shows that an association has been set up Device B and Device A.

[DeviceB] display ntp-service sessions

      source      reference   stra  reach  poll  now  offset  delay  disper

**************************************************************************

[12345] 1.0.1.11  127.127.1.0    2    63    64    3    -75.5    31.0  16.5

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

Configuring NTP broadcast mode with authentication

Network requirements

As shown in Figure 13, Switch C functions as the NTP server for multiple devices on different network segments and synchronizes the time among multiple devices. Switch B authentications the reference source.

·           Switch C’s local clock is to be used as a reference source, with the stratum level of 3.

·           Switch C works in broadcast server mode and sends out broadcast messages from VLAN-interface 2.

·           Switch A and Switch B work in broadcast client mode and receives broadcast messages through VLAN-interface 2.

·           NTP authentication is enabled on both Switch B and Switch C.

Figure 13 Network diagram)

 

Configuration procedure

1.       Set the IP address for each interface as shown in Figure 13. The configuration procedure is omitted.

2.       Configure Switch A:

# Configure Switch A to work in the NTP broadcast client mode and receive NTP broadcast messages on VLAN-interface 2.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ntp-service broadcast-client

3.       Configure Switch B:

# Enable NTP authentication on Switch B. Configure an NTP authentication key, with the key ID of 88 and key value of 123456. Specify the key as a trusted key.

<SwitchB> system-view

[SwitchB] ntp-service authentication enable

[SwitchB] ntp-service authentication-keyid 88 authentication-mode md5 123456

[SwitchB] ntp-service reliable authentication-keyid 88

# Configure Switch B to work in broadcast client mode and receive NTP broadcast messages on VLAN-interface 2.

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ntp-service broadcast-client

4.       Configure Switch C:

# Specify the local clock as the reference source, with the stratum level of 3.

<SwitchC> system-view

[SwitchC] ntp-service refclock-master 3

# Configure Switch C to work in the NTP broadcast server mode and use VLAN-interface 2 to send NTP broadcast packets.

[SwitchC] interface vlan-interface 2

[SwitchC-Vlan-interface2] ntp-service broadcast-server

[SwitchC-Vlan-interface2] quit

# Switch A synchronizes its local clock based on the received broadcast messages sent from Switch C. View NTP service status information on Switch A, and you can see that Switch A has been synchronized to Switch C, and the clock stratum level of Switch A is 4, while that of Switch C is 3.

[SwitchA-Vlan-interface2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 4

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 8.31 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

# View the NTP session information of Switch A, which shows that an association has been set up between Switch A and Switch C.

[SwitchA-Vlan-interface2] display ntp-service sessions

      source    reference    stra  reach  poll  now    offset delay  disper

**************************************************************************

[1234] 3.0.1.31  127.127.1.0  3   254     64    62   -16.0    32.0   16.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

# NTP authentication is enabled on Switch B, but not enabled on Switch C, so Switch B cannot synchronize its local clock to that of Switch C.

[SwitchB-Vlan-interface2] display ntp-service status

 Clock status: unsynchronized

 Clock stratum: 16

 Reference clock ID: none

 Nominal frequency: 100.0000 Hz

 Actual frequency: 100.0000 Hz

 Clock precision: 2^18

 Clock offset: 0.0000 ms

 Root delay: 0.00 ms

 Root dispersion: 0.00 ms

 Peer dispersion: 0.00 ms

 Reference time: 00:00:00.000 UTC Jan 1 1900(00000000.00000000)

# Enable NTP authentication on Switch C. Configure an NTP authentication key, with the key ID of 88 and key value of 123456. Specify the key as a trusted key.

[SwitchC] ntp-service authentication enable

[SwitchC] ntp-service authentication-keyid 88 authentication-mode md5 123456

[SwitchC] ntp-service reliable authentication-keyid 88

# Specify Switch C as an NTP broadcast server, and associate the key 88 with Switch C.

[SwitchC] interface vlan-interface 2

[SwitchC-Vlan-interface2] ntp-service broadcast-server authentication-keyid 88

# After NTP authentication is enabled on Switch C, Switch B can synchronize its local clock to that of Switch C. View NTP service status information on Switch B, and you can see that Switch B has been synchronized to Switch C, and the clock stratum level of Switch B is 4, while that of Switch C is 3.

[SwitchB-Vlan-interface2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 4

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 8.31 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

# View the NTP session information of Switch B, which shows that an association has been set up between Switch B and Switch C.

[SwitchB-Vlan-interface2] display ntp-service sessions

      source    reference    stra  reach  poll  now    offset delay  disper

**************************************************************************

[1234] 3.0.1.31  127.127.1.0   3   254     64    62   -16.0    32.0   16.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

# Configuration of NTP authentication on Switch C does not affect Switch A. Switch A still synchronizes its local clock to that of Switch C.

[SwitchA-Vlan-interface2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 4

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 8.31 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

Configuring MPLS VPN time synchronization in client/server mode

Network requirements

As shown in Figure 14, two VPNs are present on PE 1 and PE 2: VPN 1 and VPN 2. CE 1 and CE 3 are devices in VPN 1. To synchronize the time between PE 2 and CE 1 in VPN 1, perform the following configurations:

·           CE 1’s local clock is to be used as a reference source, with the stratum level of 1.

·           PE 2 is synchronized to CE 1 in the client/server mode, and specify that the VPN is VPN 1.

 

NOTE: At present, MPLS L3VPN time synchronization can be implemented only in the unicast mode (client/server mode or symmetric peers mode), but not in the multicast or broadcast mode.

 

Figure 14 Network diagram

 

Device	Interface	IP address	Device	Interface	IP address
CE 1	POS2/1/1	10.1.1.1/24	PE 1	POS2/1/1	10.1.1.2/24
CE 2	POS2/1/1	10.2.1.1/24		POS2/1/2	172.1.1.1/24
CE 3	POS2/1/1	10.3.1.1/24		POS2/1/3	10.2.1.2/24
CE 4	POS2/1/1	10.4.1.1/24	PE 2	POS2/1/1	10.3.1.2/24
P	POS2/1/1	172.1.1.2/24		POS2/1/2	172.2.1.2/24
	POS2/1/2	172.2.1.1/24		POS2/1/3	10.4.1.2/24

 

Configuration procedure

 

NOTE: Before you perform the following configuration, be sure you have completed MPLS VPN-related configurations and make sure of the reachability between CE 1 and PE 1, between PE 1 and PE 2, and between PE 2 and CE 3. For information about configuring MPLS VPN, see MPLS Configuration Guide.

 

1.       Set the IP address for each interface as shown in Figure 14. (Details not shown)

2.       Configure CE 1:

# Specify the local clock as the reference source, with the stratum level of 1.

<CE1> system-view

[CE1] ntp-service refclock-master 1

3.       Configure PE 2:

# Specify CE 1 in VPN 1 as the NTP server of PE 2.

<PE2> system-view

[PE2] ntp-service unicast-server vpn-instance vpn1 10.1.1.1

# View the NTP session information and status information on PE 2 a certain period of time later. The information should show that PE 2 has been synchronized to CE 1, with the clock stratum level of 2.

[PE2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 2

 Reference clock ID: 10.1.1.1

 Nominal frequency: 63.9100 Hz

 Actual frequency: 63.9100 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 47.00 ms

 Root dispersion: 0.18 ms

 Peer dispersion: 34.29 ms

 Reference time: 02:36:23.119 UTC Jan 1 2001(BDFA6BA7.1E76C8B4)

[PE2] display ntp-service sessions

source          reference       stra reach poll  now offset  delay disper

**************************************************************************

[12345]10.1.1.1       LOCL         1    7   64   15    0.0   47.0    7.8

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured   

Total associations :  1   

[PE2]  display ntp-service trace

 server 127.0.0.1,stratum 2, offset -0.013500, synch distance 0.03154          

 server 10.1.1.1,stratum 1, offset -0.506500, synch distance 0.03429          

 refid 127.127.1.0

Configuring MPLS VPN time synchronization in symmetric peers mode

Network requirements

As shown in Figure 14, two VPNs are present on PE 1 and PE 2: VPN 1 and VPN 2. To synchronize the time between PE 1 and CE 1 in VPN 1, perform the following configurations:

·           PE 1’s local clock is to be used as a reference source, with the stratum level of 1.

·           PE 1 is synchronized to CE 1 in the symmetric peers mode, and specify that the VPN is VPN 1.

Configuration procedure

1.       Set the IP address for each interface as shown in Figure 14. (Details not shown)

2.       Configure CE 1:

# Specify the local clock as the reference source, with the stratum level of 1.

<CE1> system-view

[CE1] ntp-service refclock-master 1

3.       Configure PE 1:

# Specify CE 1 in VPN 1 as the symmetric-passive peer of PE 1.

<PE1> system-view

[PE1] ntp-service unicast-peer vpn-instance vpn1 10.1.1.1

# View the NTP session information and status information on PE 1 a certain period of time later. The information should show that PE 1 has been synchronized to CE 1, with the clock stratum level of 2.

[PE1] display ntp-service status

 Clock status: synchronized

 Clock stratum: 2

 Reference clock ID: 10.1.1.1

 Nominal frequency: 63.9100 Hz

 Actual frequency: 63.9100 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 32.00 ms

 Root dispersion: 0.60 ms

 Peer dispersion: 7.81 ms

 Reference time: 02:44:01.200 UTC Jan 1 2001(BDFA6D71.33333333)

[PE1] display ntp-service sessions

source          reference       stra reach poll  now offset  delay disper

**************************************************************************

[12345]10.1.1.1    LOCL          1    1    64    29   -12.0  32.0   15.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured  

Total associations :  1    

[PE1] display ntp-service trace   

 server 127.0.0.1,stratum 2, offset -0.012000, synch distance 0.02448

 server 10.1.1.1,stratum 1, offset 0.003500, synch distance 0.00781

 refid 127.127.1.0