Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-NTP configuration | 427.88 KB |
Contents
Configuration restrictions and guidelines
Configuring NTP association modes
Configuring NTP in client/server mode
Configuring NTP in symmetric active/passive mode
Configuring NTP in broadcast mode
Configuring NTP in multicast mode
Configuring access control rights
Configuring NTP authentication
Configuring NTP authentication in client/server mode
Configuring NTP authentication in symmetric active/passive mode
Configuring NTP authentication in broadcast mode
Configuring NTP authentication in multicast mode
Configuring NTP optional parameters
Specifying the source interface for NTP messages
Disabling an interface from receiving NTP messages
Configuring the maximum number of dynamic associations
Configuring the local clock as a reference source
Displaying and maintaining NTP
NTP client/server mode configuration example
NTP symmetric active/passive mode configuration example
NTP broadcast mode configuration example
NTP multicast mode configuration example
Configuration example for NTP client/server mode with authentication
Configuration example for NTP broadcast mode with authentication
Configuration example for MPLS VPN time synchronization in client/server mode
Configuration example for MPLS VPN time synchronization in symmetric active/passive mode
Configuration restrictions and guidelines
Specifying an NTP server for the device
Configuring SNTP authentication
Synchronize your device with a trusted time source by using the Network Time Protocol (NTP) or changing the system time before you run it on a live network. Various tasks, including network management, charging, auditing, and distributed computing depend on an accurate system time setting, because the timestamps of system messages and logs use the system time.
Overview
NTP is typically used in large networks to dynamically synchronize time among network devices. It guarantees higher clock accuracy than manual system clock setting. In a small network that does not require high clock accuracy, you can keep time synchronized among devices by changing their system clocks one by one.
NTP runs over UDP and uses UDP port 123.
How NTP works
Figure 1 shows how NTP synchronizes the system time between two devices, in this example, Device A and Device B. Assume that:
· Prior to the time synchronization, the time of Device A is set to 10:00:00 am and that of Device B is set to 11:00:00 am.
· Device B is used as the NTP server. Device A is to be synchronized to Device B.
· It takes 1 second for an NTP message to travel from Device A to Device B, and from Device B to Device A.
· It takes 1 second for Device B to process the NTP message.
The synchronization process is as follows:
1. Device A sends Device B an NTP message, which is timestamped when it leaves Device A. The time stamp is 10:00:00 am (T1).
2. When this NTP message arrives at Device B, Device B adds a timestamp showing the time when the message arrived at Device B. The timestamp is 11:00:01 am (T2).
3. When the NTP message leaves Device B, Device B adds a timestamp showing the time when the message left Device B. The timestamp is 11:00:02 am (T3).
4. When Device A receives the NTP message, the local time of Device A is 10:00:03 am (T4).
Up to now, Device A can calculate the following parameters based on the timestamps:
· The roundtrip delay of the NTP message: Delay = (T4–T1) – (T3-T2) = 2 seconds.
· Time difference between Device A and Device B: Offset = ((T2-T1) + (T3-T4)) /2 = 1 hour.
Based on these parameters, Device A can be synchronized to Device B.
This is only a rough description of the work mechanism of NTP. For more information, see the related protocols and standards.
NTP architecture
NTP uses stratums 1 to 16 to define clock accuracy, as shown in Figure 2. A lower stratum value represents higher accuracy. Clocks at stratums 1 through 15 are in synchronized state, and clocks at stratum 16 are not synchronized.
Typically, a stratum 1 NTP server gets its time from an authoritative time source, such as an atomic clock, and provides time for other devices as the primary NTP server. The accuracy of each server is the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level. NTP uses a stratum to describe how many NTP hops away a device is from the primary time server. A stratum 2 time server receives its time from a stratum 1 time server, and so on.
To ensure time accuracy and availability, you can specify multiple NTP servers for a device. The device selects an optimal NTP server as the clock source based on parameters such as stratum. The clock that the device selects is called the reference source. For more information about clock selection, see the related protocols and standards.
If the devices in a network cannot synchronize to an authoritative time source, you can select a device that has a relatively accurate clock from the network, and use the local clock of the device as the reference clock to synchronize other devices in the network.
Association modes
NTP supports the following association modes:
· Client/server mode
· Symmetric active/passive mode
· Broadcast mode
· Multicast mode
Table 1 NTP association modes
|
Mode |
Working process |
Principle |
Application scenario |
|
Client/server |
On the client, specify the IP address of the NTP server. A client sends a clock synchronization message to the NTP servers. Upon receiving the message, the servers automatically operate in server mode and send a reply. If the client can be synchronized to multiple time servers, it selects an optimal clock and synchronizes its local clock to the optimal reference source after receiving the replies from the servers. |
A client can be synchronized to a server, but a server cannot be synchronized to a client. |
As Figure 2 shows, this mode is intended for configurations where devices of a higher stratum are synchronized to devices with a lower stratum. |
|
Symmetric active/passive |
On the symmetric active peer, specify the IP address of the symmetric passive peer. A symmetric active peer periodically sends clock synchronization messages to a symmetric passive peer. The symmetric passive peer automatically operates in symmetric passive mode and sends a reply. If the symmetric active peer can be synchronized to multiple time servers, it selects an optimal clock and synchronizes its local clock to the optimal reference source after receiving the replies from the servers. |
A symmetric active peer and a symmetric passive peer can be synchronized to each other. If both of them are synchronized, the peer with a higher stratum is synchronized to the peer with a lower stratum. |
As Figure 2 shows, this mode is most often used between two or more servers with the same stratum to operate as a backup for one another. If a server fails to communicate with all the servers of a higher stratum, the server can be synchronized to the servers of the same stratum. |
|
Broadcast |
A server periodically sends clock synchronization messages to the broadcast address 255.255.255.255. Clients listen to the broadcast messages from the servers to synchronize to the server according to the broadcast messages. When a client receives the first broadcast message, the client and the server start to exchange messages to calculate the network delay between them. Then, only the broadcast server sends clock synchronization messages. |
A broadcast client can be synchronized to a broadcast server, but a broadcast server cannot be synchronized to a broadcast client. |
A broadcast server sends clock synchronization messages to synchronize clients in the same subnet. As Figure 2 shows, broadcast mode is intended for configurations involving one or a few servers and a potentially large client population. The broadcast mode has a lower time accuracy than the client/server and symmetric active/passive modes because only the broadcast servers send clock synchronization messages. |
|
Multicast |
A multicast server periodically sends clock synchronization messages to the user-configured multicast address. Clients listen to the multicast messages from servers and synchronize to the server according to the received messages. |
A multicast client can be synchronized to a multicast server, but a multicast server cannot be synchronized to a multicast client. |
A multicast server can provide time synchronization for clients in the same subnet or in different subnets. The multicast mode has a lower time accuracy than the client/server and symmetric active/passive modes. |
In this document, an "NTP server" or a "server" refers to a device that operates as an NTP server in client/server mode. Time servers refer to all the devices that can provide time synchronization, including NTP servers, NTP symmetric peers, broadcast servers, and multicast servers.
NTP security
To improve time synchronization security, NTP provides the access control and authentication functions.
NTP access control
You can control NTP access by using an ACL. The access rights are in the following order, from least restrictive to most restrictive:
· Peer—Allows time requests and NTP control queries (such as alarms, authentication status, and time server information) and allows the local device to synchronize itself to a peer device.
· Server—Allows time requests and NTP control queries, but does not allow the local device to synchronize itself to a peer device.
· Synchronization—Allows only time requests from a system whose address passes the access list criteria.
· Query—Allows only NTP control queries from a peer device to the local device.
The device processes an NTP request, as follows:
· If no NTP access control is configured, peer is granted to the local device and peer devices.
· If the IP address of the peer device matches a permit statement in an ACL for more than one access right, the least restrictive access right is granted to the peer device. If a deny statement or no ACL is matched, no access right is granted.
· If no ACL is created for a specific access right, the associated access right is not granted.
· If no ACL is created for any access right, peer is granted.
This feature provides minimal security for a system running NTP. A more secure method is NTP authentication.
NTP authentication
Use this feature to authenticate the NTP messages for security purposes. If an NTP message passes authentication, the device can receive it and get time synchronization information. If not, the device discards the message. This function makes sure the device does not synchronize to an unauthorized time server.
Figure 3 NTP authentication
As shown in Figure 3, NTP authentication works as follows:
1. The sender uses the MD5 algorithm to calculate the NTP message according to the key identified by a key ID, and sends the calculated digest together with the NTP message and key ID to the receiver.
2. Upon receiving the message, the receiver finds the key according to the key ID in the message, uses the MD5 algorithm to calculate the digest, and compares the digest with the digest contained in the NTP message. If they are the same, the receiver accepts the message. Otherwise, it discards the message.
NTP for MPLS VPNs
The device supports multiple VPN instances when it functions as an NTP client or a symmetric active peer to realize time synchronization with the NTP server or symmetric passive peer in an MPLS VPN network.
Only the client/server and symmetric active/passive modes support VPN instances. For more information about MPLS L3VPN, VPN instance, and PE, see MPLS Configuration Guide.
As Figure 4 shows, users in VPN 1 and VPN 2 are connected to the MPLS backbone network through provider edge (PE) devices, and services of the two VPNs are isolated. If you configure the PEs to operate in NTP client or symmetric active mode, and specify the VPN to which the NTP server or NTP symmetric passive peer belongs, the time synchronization between PEs and devices of the two VPNs can be realized.
Protocols and standards
· RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis
· RFC 5905, Network Time Protocol Version 4: Protocol and Algorithms Specification
Configuration restrictions and guidelines
· You cannot configure both NTP and SNTP on the same device.
· In MDC context, H3C recommends that you configure NTP or SNTP only on the management MDC. If you configure NTP or SNTP on multiple MDCs on the same device, problems such as frequent system time change and inconsistency between the system time and the time on the time server of the MDCs occur.
· Do not configure NTP on an aggregate member port.
· The NTP service and SNTP service are mutually exclusive. You can only enable either NTP service or SNTP service at a time.
Configuration task list
|
Tasks at a glance |
|
(Required.) Enabling the NTP service |
|
(Required.) Perform at least one of the following tasks: |
|
(Optional.) Configuring access control rights |
|
(Optional.) Configuring NTP authentication |
|
(Optional.) Configuring NTP optional parameters |
Enabling the NTP service
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the NTP service. |
ntp-service enable |
By default, the NTP service is not enabled. |
Configuring NTP association modes
This section describes how to configure NTP association modes.
Configuring NTP in client/server mode
When the device operates in client/server mode, specify the IP address for the server on the client.
Follow these guidelines when you configure an NTP client:
· A server must be synchronized by other devices or use its local clock as a reference source before synchronizing an NTP client. Otherwise, the client will not be synchronized to the NTP server.
· If the stratum level of a server is higher than or equal to a client, the client will not synchronize to that server.
· You can configure multiple servers by repeating the ntp-service unicast-server command.
To configure an NTP client:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
ntp-service unicast-server { ip-address | server-name } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | priority | source interface-type interface-number | version number ] * |
By default, no NTP server is specified for the device. |
Configuring NTP in symmetric active/passive mode
When the device operates in symmetric active/passive mode, specify on a symmetric-active peer the IP address for a symmetric-passive peer.
Follow these guidelines when you configure a symmetric-active peer:
· Execute the ntp-service enable command on a symmetric passive peer to enable NTP. Otherwise, the symmetric-passive peer will not process NTP messages from a symmetric-active peer.
· Either the symmetric-active peer, or the symmetric-passive peer, or both of them must be in synchronized state. Otherwise, their time cannot be synchronized.
· You can configure multiple symmetric-passive peers by repeating the ntp-service unicast-peer command.
To configure a symmetric-active peer:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify a symmetric-passive peer for the device. |
ntp-service unicast-peer { ip-address | peer-name } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | priority | source interface-type interface-number | version number ] * |
By default, no symmetric-passive peer is specified. |
Configuring NTP in broadcast mode
A broadcast server must be synchronized by other devices or use its local clock as a reference source before synchronizing a broadcast client. Otherwise, the broadcast client will not be synchronized to the broadcast server.
Configure NTP in broadcast mode on both broadcast server and client.
Configuring a broadcast client
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
Enter the interface for receiving NTP broadcast messages. |
|
3. Configure the device to operate in broadcast client mode. |
ntp-service broadcast-client |
By default, the device does not operate in broadcast client mode. After you execute the command, the device receives NTP broadcast messages from the specified interface. |
Configuring the broadcast server
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
Enter the interface for sending NTP broadcast messages. |
|
3. Configure the device to operate in NTP broadcast server mode. |
ntp-service broadcast-server [ authentication-keyid keyid | version number ] * |
By default, the device does not operate in broadcast server mode. After you execute the command, the device receives NTP broadcast messages from the specified interface. |
Configuring NTP in multicast mode
A multicast server must be synchronized by other devices or use its local clock as a reference source before synchronizing a multicast client. Otherwise, the multicast client will not be synchronized to the multicast server.
Configure NTP in multicast mode on both a multicast server and client.
Configuring a multicast client
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
Enter the interface for receiving NTP multicast messages. |
|
3. Configure the device to operate in multicast client mode. |
ntp-service multicast-client [ ip-address ] |
By default, the device does not operate in multicast server mode. After you execute the command, the device receives NTP multicast messages from the specified interface. |
Configuring the multicast server
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
Enter the interface for sending NTP multicast message. |
|
3. Configure the device to operate in multicast server mode. |
ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | ttl ttl-number | version number ] * |
By default, the device does not operate in multicast server mode. After you execute the command, the device sends NTP multicast messages from the specified interface. |
Configuring access control rights
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the NTP service access control right for a peer device to access the local device. |
ntp-service { peer | query | server | synchronization } acl acl-number |
By default, the NTP service access control right for a peer device to access the local device is peer. |
Before you configure the NTP service access control right to the local device, create and configure an ACL associated with the access control right. For more information about ACL, see ACL and QoS Configuration Guide.
Configuring NTP authentication
This section provides instructions for configuring NTP authentication.
Configuring NTP authentication in client/server mode
When you configure NTP authentication in client/server mode, enable NTP authentication, configure an authentication key, set the key as a trusted key on both client and server, and associate the key with the NTP server on the client. The key IDs and key values configured on the server and client must be the same. Otherwise, NTP authentication fails.
To configure NTP authentication for a client:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable NTP authentication. |
ntp-service authentication enable |
By default, NTP authentication is disabled. |
|
3. Configure an NTP authentication key. |
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value |
By default, no NTP authentication key is configured. |
|
4. Configure the key as a trusted key. |
ntp-service reliable authentication-keyid keyid |
By default, no authentication key is configured as a trusted key. |
|
5. Associate the specified key with an NTP server. |
ntp-service unicast-server { ip-address | server-name } [ vpn-instance vpn-instance-name ] authentication-keyid keyid |
N/A |
To configure NTP authentication for a server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable NTP authentication. |
ntp-service authentication enable |
By default, NTP authentication is disabled. |
|
3. Configure an NTP authentication key. |
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value |
By default, no NTP authentication key is configured. |
|
4. Configure the key as a trusted key. |
ntp-service reliable authentication-keyid keyid |
By default, no authentication key is configured as a trusted key. |
NTP authentication results differ when different configurations are performed on client and server. For more information, see Table 2. (N/A in the table means that whether the configuration is performed does not make any difference.)
Table 2 NTP authentication results
|
Client |
Server |
Authentication result |
|||
|
Enable NTP authentication |
Configure a key and configure it as a trusted key |
Associate the key with an NTP server |
Enable NTP authentication |
Configure a key and configure it as a trusted key |
|
|
Yes |
Yes |
Yes |
Yes |
Yes |
Succeeded. NTP messages can be sent and received properly. |
|
Yes |
Yes |
Yes |
Yes |
No |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
Yes |
Yes |
No |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
No |
Yes |
N/A |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
N/A |
No |
N/A |
N/A |
No authentication. NTP messages can be sent and received properly. |
|
No |
N/A |
N/A |
N/A |
N/A |
No authentication. NTP messages can be sent and received properly. |
Configuring NTP authentication in symmetric active/passive mode
When you configure NTP authentication in symmetric peers mode, enable NTP authentication, configure an authentication key, set the key as a trusted key on both active peer and passive peer, and associate the key with the passive peer on the active peer. The key IDs and key values configured on the active peer and passive peer must be the same. Otherwise, NTP authentication fails.
To configure NTP authentication for an active peer:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable NTP authentication. |
ntp-service authentication enable |
By default, NTP authentication is disabled. |
|
3. Configure an NTP authentication key. |
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value |
By default, no NTP authentication key is configured. |
|
4. Configure the key as a trusted key. |
ntp-service reliable authentication-keyid keyid |
By default, no authentication key is configured as a trusted key. |
|
5. Associate the specified key with a passive peer. |
ntp-service unicast-peer { ip-address | peer-name } [ vpn-instance vpn-instance-name ] authentication-keyid keyid |
N/A |
To configure NTP authentication for a passive peer:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable NTP authentication. |
ntp-service authentication enable |
By default, NTP authentication is disabled. |
|
3. Configure an NTP authentication key. |
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value |
By default, no NTP authentication key is configured. |
|
4. Configure the key as a trusted key. |
ntp-service reliable authentication-keyid keyid |
By default, no authentication key is configured as a trusted key. |
NTP authentication results differ when different configurations are performed on active peer and passive peer. For more information, see Table 3. (N/A in the table means that whether the configuration is performed does not make any difference.)
Table 3 NTP authentication results
|
Active peer |
Passive peer |
Authentication result |
|||
|
Enable NTP authentication |
Configure a key and configure it as a trusted key |
Associate the key with an passive peer |
Enable NTP authentication |
Configure a key and configure it as a trusted key |
|
|
Stratum level of the active and passive peers is not considered. |
|||||
|
Yes |
Yes |
Yes |
Yes |
Yes |
Succeeded. NTP messages can be sent and received properly. |
|
Yes |
Yes |
Yes |
Yes |
No |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
Yes |
Yes |
No |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
N/A |
No |
Yes |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
N/A |
No |
No |
N/A |
No authentication. NTP messages can be sent and received properly. |
|
No |
N/A |
N/A |
Yes |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
No |
N/A |
N/A |
No |
N/A |
No authentication. NTP messages can be sent and received properly. |
|
The active peer has a higher stratum than the passive peer. |
|||||
|
Yes |
No |
Yes |
N/A |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
The passive peer has a higher stratum than the active peer. |
|||||
|
Yes |
No |
Yes |
Yes |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
No |
Yes |
No |
N/A |
No authentication. NTP messages can be sent and received properly. |
Configuring NTP authentication in broadcast mode
When you configure NTP authentication in broadcast mode, enable NTP authentication, configure an authentication key, set the key as a trusted key on both the broadcast client and server, and configure an NTP authentication key on the broadcast server. The key IDs and key values configured on the broadcast server and client must be the same. Otherwise, NTP authentication fails.
To configure NTP authentication for a broadcast client:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable NTP authentication. |
ntp-service authentication enable |
By default, NTP authentication is disabled. |
|
3. Configure an NTP authentication key. |
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value |
By default, no NTP authentication key is configured. |
|
4. Configure the key as a trusted key. |
ntp-service reliable authentication-keyid keyid |
By default, no authentication key is configured as a trusted key. |
To configure NTP authentication for a broadcast server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable NTP authentication. |
ntp-service authentication enable |
By default, NTP authentication is disabled. |
|
3. Configure an NTP authentication key. |
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value |
By default, no NTP authentication key is configured. |
|
4. Configure the key as a trusted key. |
ntp-service reliable authentication-keyid keyid |
By default, no authentication key is configured as a trusted key. |
|
5. Enter interface view. |
interface interface-type interface-number |
N/A |
|
6. Associate the specified key with the broadcast server. |
ntp-service broadcast-server authentication-keyid keyid |
By default, the broadcast server is not associated with any key. |
NTP authentication results differ when different configurations are performed on broadcast client and server. For more information, see Table 4. (N/A in the table means that whether the configuration is performed does not make any difference.)
Table 4 NTP authentication results
|
Broadcast server |
Broadcast client |
Authentication result |
|||
|
Enable NTP authentication |
Configure a key and configure it as a trusted key |
Associate the key with a broadcast server |
Enable NTP authentication |
Configure a key and configure it as a trusted key |
|
|
Yes |
Yes |
Yes |
Yes |
Yes |
Succeeded. NTP messages can be sent and received properly. |
|
Yes |
Yes |
Yes |
Yes |
No |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
Yes |
Yes |
No |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
No |
Yes |
Yes |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
No |
Yes |
No |
N/A |
No authentication. NTP messages can be sent and received properly. |
|
Yes |
N/A |
No |
Yes |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
N/A |
No |
No |
N/A |
No authentication. NTP messages can be sent and received properly. |
|
No |
N/A |
N/A |
Yes |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
No |
N/A |
N/A |
No |
N/A |
No authentication. NTP messages can be sent and received properly. |
Configuring NTP authentication in multicast mode
When you configure NTP authentication in multicast mode, enable NTP authentication, configure an authentication key, set the key as a trusted key on both the multicast client and server, and configure an NTP authentication key on the multicast server. The key IDs and key values configured on the multicast server and client must be the same. Otherwise, NTP authentication fails.
To configure NTP authentication for a multicast client:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable NTP authentication. |
ntp-service authentication enable |
By default, NTP authentication is disabled. |
|
3. Configure an NTP authentication key. |
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value |
By default, no NTP authentication key is configured. |
|
4. Configure the key as a trusted key. |
ntp-service reliable authentication-keyid keyid |
By default, no authentication key is configured as a trusted key. |
To configure NTP authentication for a multicast server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable NTP authentication. |
ntp-service authentication enable |
By default, NTP authentication is disabled. |
|
3. Configure an NTP authentication key. |
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value |
By default, no NTP authentication key is configured. |
|
4. Configure the key as a trusted key. |
ntp-service reliable authentication-keyid keyid |
By default, no authentication key is configured as a trusted key. |
|
5. Enter interface view. |
interface interface-type interface-number |
N/A |
|
6. Associate the specified key with the multicast server. |
ntp-service multicast-server [ ip-address ] authentication-keyid keyid |
By default, no multicast server is associated with the specified key. |
NTP authentication results differ when different configurations are performed on broadcast client and server. For more information, see Table 5. (N/A in the table means that whether the configuration is performed does not make any difference.)
Table 5 NTP authentication results
|
Multicast server |
Multicast client |
Authentication result |
|||
|
Enable NTP authentication |
Configure a key and configure it as a trusted key |
Associate the key with a multicast server |
Enable NTP authentication |
Configure a key and configure it as a trusted key |
|
|
Yes |
Yes |
Yes |
Yes |
Yes |
Succeeded. NTP messages can be sent and received properly. |
|
Yes |
Yes |
Yes |
Yes |
No |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
Yes |
Yes |
No |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
No |
Yes |
Yes |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
No |
Yes |
No |
N/A |
No authentication. NTP messages can be sent and received properly. |
|
Yes |
N/A |
No |
Yes |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
Yes |
N/A |
No |
No |
N/A |
No authentication. NTP messages can be sent and received properly. |
|
No |
N/A |
N/A |
Yes |
N/A |
Failed. NTP messages cannot be sent and received properly. |
|
No |
N/A |
N/A |
No |
N/A |
No authentication. NTP messages can be sent and received properly. |
Configuring NTP optional parameters
The configuration tasks in this section are optional tasks. Configure them to improve NTP security, performance, or reliability.
Specifying the source interface for NTP messages
To prevent interface status changes from causing NTP communication failures, configure the device to use the IP address of an interface that is always up, for example, a loopback interface, as the source IP address for the NTP messages to be sent. Set the loopback interface as the source interface so that any interface status change on the device will not cause NTP messages to be unable to be received.
When the device responds to an NTP request, the source IP address of the NTP response is always the IP address of the interface that has received the NTP request.
To specify the source interface for NTP messages:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the source interface for NTP messages. |
ntp-service source interface-type interface-number |
By default, no source interface is specified for NTP messages. If you have configured the ntp-service broadcast-server command in the interface view, the source interface for the broadcast or multicast NTP messages is the interface configured with the ntp-service broadcast-server command. |
Disabling an interface from receiving NTP messages
When NTP is enabled, all interfaces by default can receive NTP messages. For security purposes, you can disable some of them from receiving NTP messages.
To disable an interface from receiving NTP messages:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Disable the interface from receiving NTP messages. |
ntp-service inbound disable |
By default, an interface is enabled to receive NTP messages. |
Configuring the maximum number of dynamic associations
NTP has the following types of associations:
· Static association—A manually created association.
· Dynamic association—Temporary association created by the system during NTP operation. A dynamic association is removed if no messages are exchanged over a specific period of time.
The following describes how an association is established in different association modes:
· Client/server mode—After you specify an NTP server, the system creates a static association on the client. The server simply responds passively upon the receipt of a message, rather than creating an association (static or dynamic).
· Symmetric active/passive mode—After you specify a symmetric-passive peer on a symmetric active peer, static associations are created on the symmetric-active peer, and dynamic associations are created on the symmetric-passive peer.
· Broadcast or multicast mode—Static associations are created on the server, and dynamic associations are created on the client.
A single device can have a maximum of 128 concurrent associations, including static associations and dynamic associations.
Perform this task to restrict the number of dynamic associations to prevent dynamic associations from occupying too many system resources.
To configure the maximum number of dynamic associations:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the maximum number of dynamic sessions allowed to be established. |
ntp-service max-dynamic-sessions number |
By default, the command can establish up to 100 dynamic sessions. |
Configuring the local clock as a reference source
Follow these guidelines when you configure the local clock as a reference source:
· Make sure the local clock can provide the time accuracy required for the network. After you configure the local clock as a reference source, the local clock is synchronized, and can operate as a time server to synchronize other devices in the network. If the local clock is incorrect, timing errors occur.
· Before you configure this feature, adjust the local system time to make sure it is accurate.
· If the factory-default system time of the device always restores at a reboot, do not configure the local clock as a reference source or configure the device as a time server.
To configure the local clock as a reference source:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the local clock as a reference source. |
ntp-service refclock-master [ ip-address ] [ stratum ] |
By default, the device does not use the local clock as a reference source. |
Displaying and maintaining NTP
Execute display commands in any view.
|
Task |
Command |
|
Display information about NTP service status. |
display ntp-service status |
|
Display information about IPv4 NTP associations. |
display ntp-service sessions [ verbose ] |
|
Display brief information about the NTP servers from the local device back to the primary reference source. |
display ntp-service trace |
NTP configuration examples
By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command.
NTP client/server mode configuration example
Network requirements
As shown in Figure 5, the local clock of Device A is to be used as a reference source, with the stratum level 2. Device B operates in client mode and Device A is to be used as the NTP server for Device B.
Configuration procedure
1. Set the IP address for each interface as shown in Figure 5. (Details not shown.)
2. Configure Device A:
# Enable the NTP service.
<DeviceA> system-view
[DeviceA] ntp-service enable
# Specify the local clock as the reference source, with the stratum level 2.
[DeviceA] ntp-service refclock-master 2
3. Configure Device B:
# Enable the NTP service.
<DeviceB> system-view
[DeviceB] ntp-service enable
# Specify Device A as the NTP server of Device B so that Device B is synchronized to Device A.
[DeviceB] ntp-service unicast-server 1.0.1.11
4. Verify the configuration:
# Display the NTP status of Device B after clock synchronization.
[DeviceB] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 1.0.1.11
Local mode: client
Reference clock ID: 1.0.1.11
Leap indicator: 00
Clock jitter: 0.000977 s
Stability: 0.000 pps
Clock precision: 2^-10
Root delay: 0.00383 ms
Root dispersion: 16.26572 ms
Reference time: d0c6033f.b9923965 Wed, Dec 29 2010 18:58:07.724
The output shows that Device B has been synchronized to Device A, the clock stratum level of Device B is 3, and that of Device A is 2.
# Display IPv4 NTP association information for Device B.
[DeviceB] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[12345]1.0.1.11 127.127.1.0 2 1 64 15 -4.0 0.0038 16.262
Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured.
Total sessions : 1
The output shows that an association has been set up between Device B and Device A.
NTP symmetric active/passive mode configuration example
Network requirements
· As shown in Figure 6, Device C has a clock more accurate than Device A. Set the local clock of Device A as a reference source, with the stratum level 3.
· Set the local clock Device C as a reference source, with the stratum level 2.
· Configure Device B to operate in client mode and specify Device A as the NTP server of Device B.
· Configure Device C to operate in symmetric-active mode and specify Device B as the passive peer of Device C.
Configuration procedure
1. Set the IP address for each interface as shown in Figure 6. (Details not shown.)
2. Configure Device A:
# Enable the NTP service.
<DeviceA> system-view
[DeviceA] ntp-service enable
# Specify the local clock as the reference source, with the stratum level 3.
[DeviceA] ntp-service refclock-master 3
3. Configure Device B:
# Enable the NTP service.
[DeviceB] ntp-service enable
# Specify Device A as the NTP server of Device B.
[DeviceB] ntp-service unicast-server 3.0.1.31
4. Configure Device C:
# Enable the NTP service.
<DeviceC> system-view
[DeviceC] ntp-service enable
# Specify the local clock as the reference source, with the stratum level 2.
[DeviceC] ntp-service refclock-master 2
# Configure Device B as a symmetric passive peer.
[DeviceC] ntp-service unicast-peer 3.0.1.32
5. Verify the configuration:
# After the configuration, Device B has two time servers Device A and Device C. Device C has a lower stratum level than Device A, so Device B selects Device C as a reference clock to synchronize to Device C. After synchronization, view the status of Device B. The output shows that Device B has been synchronized to Device C.
[DeviceB] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 3.0.1.33
Local mode: sym_passive
Reference clock ID: 3.0.1.33
Leap indicator: 00
Clock jitter: 0.000916 s
Stability: 0.000 pps
Clock precision: 2^-17
Root delay: 0.00609 ms
Root dispersion: 1.95859 ms
Reference time: 83aec681.deb6d3e5 Sun, Jan 4 1970 5:56:17.869
# Display IPv4 NTP association information for Device B.
[DeviceB] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[25]3.0.1.31 127.127.1.0 3 28 64 - 0.0000 0.0000 4000.0
[1234]3.0.1.33 127.127.1.0 2 62 64 34 0.4251 6.0882 1392.1
Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured.
Total sessions: 2
The output shows that an association has been set up between Device B and Device A, and Device B and Device C
NTP broadcast mode configuration example
Network requirements
As shown in Figure 7, Switch C functions as the NTP server for multiple devices on a network segment and synchronizes the time among multiple devices.
· Switch C's local clock is to be used as a reference source, with the stratum level 2.
· Switch C operates in broadcast server mode and sends out broadcast messages from VLAN-interface 2.
· Switch A and Switch B operate in broadcast client mode, and listen to broadcast messages through VLAN-interface 2.
Configuration procedure
1. Set the IP address for each interface as shown in Figure 7. (Details not shown.)
2. Configure Switch C:
# Enable the NTP service.
<SwitchC> system-view
[SwitchC] ntp-service enable
# Specify the local clock as the reference source, with the stratum level 2.
[SwitchC] ntp-service refclock-master 2
# Configure Switch C to operate in broadcast server mode and send broadcast messages through VLAN-interface 2.
[SwitchC] interface vlan-interface 2
[SwitchC-Vlan-interface2] ntp-service broadcast-server
3. Configure Switch A:
# Enable the NTP service.
<SwitchA> system-view
[SwitchA] ntp-service enable
# Configure Switch A to operate in broadcast client mode and receive broadcast messages on VLAN-interface 2.
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ntp-service broadcast-client
4. Configure Switch B:
# Enable the NTP service.
<SwitchB> system-view
[SwitchB] ntp-service enable
# Configure Switch B to operate in broadcast client mode and receive broadcast messages on VLAN-interface 2.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ntp-service broadcast-client
5. Verify the configuration:
# Switch A and Switch B get synchronized upon receiving a broadcast message from Switch C. Display the NTP status of Switch A after clock synchronization.
[SwitchA-Vlan-interface2] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 3.0.1.31
Local mode: bclient
Reference clock ID: 3.0.1.31
Leap indicator: 00
Clock jitter: 0.044281 s
Stability: 0.000 pps
Clock precision: 2^-10
Root delay: 0.00229 ms
Root dispersion: 4.12572 ms
Reference time: d0d289fe.ec43c720 Sat, Jan 8 2011 7:00:14.922
The output shows that Switch A has been synchronized to Switch C, the clock stratum level of Switch A is 3, and that of Switch C is 2.
# Display IPv4 NTP association information for Switch A.
[SwitchA-Vlan-interface2] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[1245]3.0.1.31 127.127.1.0 2 1 64 519 -0.0 0.0022 4.1257
Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured.
Total sessions : 1
The output shows that an association has been set up between Switch A and Switch C.
NTP multicast mode configuration example
Network requirements
As shown in Figure 8, Switch C functions as the NTP server for multiple devices on different network segments and synchronizes the time among multiple devices.
· Switch C's local clock is to be used as a reference source, with the stratum level 2.
· Switch C operates in multicast server mode and sends out multicast messages from VLAN-interface 2.
· Switch A and Switch D operate in multicast client mode and receive multicast messages through VLAN-interface 3 and VLAN-interface 2 respectively.
Configuration procedure
1. Set the IP address for each interface as shown in Figure 8. (Details not shown.)
2. Configure Switch C:
# Enable the NTP service.
<SwitchC> system-view
[SwitchC] ntp-service enable
# Specify the local clock as the reference source, with the stratum level 2.
[SwitchC] ntp-service refclock-master 2
# Configure Switch C to operate in multicast server mode and send multicast messages through VLAN-interface 2.
[SwitchC] interface vlan-interface 2
[SwitchC-Vlan-interface2] ntp-service multicast-server
3. Configure Switch D:
# Enable the NTP service.
<SwitchD> system-view
[SwitchD] ntp-service enable
# Configure Switch D to operate in multicast client mode and receive multicast messages on VLAN-interface 2.
[SwitchD] interface vlan-interface 2
[SwitchD-Vlan-interface2] ntp-service multicast-client
4. Verify the configuration:
# Because Switch D and Switch C are on the same subnet, Switch D can receive the multicast messages from Switch C without being enabled with the multicast functions and can be synchronized to Switch C. Display the NTP status of Switch D after clock synchronization.
[SwitchD-Vlan-interface2] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 3.0.1.31
Local mode: bclient
Reference clock ID: 3.0.1.31
Leap indicator: 00
Clock jitter: 0.044281 s
Stability: 0.000 pps
Clock precision: 2^-10
Root delay: 0.00229 ms
Root dispersion: 4.12572 ms
Reference time: d0d289fe.ec43c720 Sat, Jan 8 2011 7:00:14.922
The output shows that Switch D has been synchronized to Switch C, the clock stratum level of Switch D is 3, and that of Switch C is 2.
# Display IPv4 NTP association information for Switch D.
[SwitchD-Vlan-interface2] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[1245]3.0.1.31 127.127.1.0 2 1 64 519 -0.0 0.0022 4.1257
Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured.
Total sessions : 1
The output shows that an association has been set up between Switch D and Switch C.
5. Configure Switch B:
Because Switch A and Switch C are on different subnets, you must enable the multicast functions on Switch B before Switch A can receive multicast messages from Switch C.
# Enable IP multicast routing and IGMP.
<SwitchB> system-view
[SwitchB] multicast routing-enable
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] pim dm
[SwitchB-Vlan-interface2] quit
[SwitchB] vlan 3
[SwitchB-vlan3] port GigabitEthernet 3/0/1
[SwitchB-vlan3] quit
[SwitchB] interface vlan-interface 3
[SwitchB-Vlan-interface3] igmp enable
[SwitchB-Vlan-interface3] igmp static-group 224.0.1.1
[SwitchB-Vlan-interface3] quit
[SwitchB] interface GigabitEthernet 3/0/1
[SwitchB-GigabitEthernet3/0/1] igmp-snooping static-group 224.0.1.1 vlan 3
6. Configure Switch A:
# Enable the NTP service.
<SwitchA> system-view
[SwitchA] ntp-service enable
# Configure Switch A to operate in multicast client mode and receive multicast messages on VLAN-interface 3.
[SwitchA] interface vlan-interface 3
[SwitchA-Vlan-interface3] ntp-service multicast-client
7. Verify the configuration:
# Display the NTP status of Switch A after clock synchronization.
[SwitchA-Vlan-interface3] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 3.0.1.31
Local mode: bclient
Reference clock ID: 3.0.1.31
Leap indicator: 00
Clock jitter: 0.165741 s
Stability: 0.000 pps
Clock precision: 2^-10
Root delay: 0.00534 ms
Root dispersion: 4.51282 ms
Reference time: d0c61289.10b1193f Wed, Dec 29 2010 20:03:21.065
The output shows that Switch A has been synchronized to Switch C, the clock stratum level of Switch A is 3, and that of Switch C is 2.
# Display IPv4 NTP association information for Switch A.
[SwitchA-Vlan-interface3] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[1234]3.0.1.31 127.127.1.0 2 247 64 381 -0.0 0.0053 4.5128
Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured.
Total sessions : 1
The output shows that an association has been set up between Switch A and Switch C.
Configuration example for NTP client/server mode with authentication
Network requirements
· As shown in Figure 9, configure the local clock of Device A as a reference source, with the stratum level 2.
· Configure Device B to operate in client mode and specify Device A as the NTP server of Device B, with Device B as the client.
· Configure NTP authentication on both Device A and Device B.
Configuration procedure
1. Set the IP address for each interface as shown in Figure 9. (Details not shown.)
2. Configure Device A:
# Enable the NTP service.
<DeviceA> system-view
[DeviceA] ntp-service enable
# Specify the local clock as the reference source, with the stratum level 2.
[DeviceA] ntp-service refclock-master 2
3. Configure Device B:
# Enable the NTP service.
<DeviceB> system-view
[DeviceB] ntp-service enable
# Enable NTP authentication on Device B.
[DeviceB] ntp-service authentication enable
# Set an authentication key, and input the key in plain text.
[DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 simple aNiceKey
# Specify the key as a trusted key.
[DeviceB] ntp-service reliable authentication-keyid 42
# Specify Device A as the NTP server of Device B, and associate the server with key 42.
[DeviceB] ntp-service unicast-server 1.0.1.11 authentication-keyid 42
Before Device B can synchronize its clock to that of Device A, enable NTP authentication for Device A.
4. Configure NTP authentication on Device A:
# Enable NTP authentication.
[DeviceA] ntp-service authentication enable
# Set an authentication key, and input the key in plain text.
[DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 simple aNiceKey
# Specify the key as a trusted key.
[DeviceA] ntp-service reliable authentication-keyid 42
5. Verify the configuration:
# Display the NTP status of Device B after clock synchronization.
[DeviceB] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 1.0.1.11
Local mode: client
Reference clock ID: 1.0.1.11
Leap indicator: 00
Clock jitter: 0.005096 s
Stability: 0.000 pps
Clock precision: 2^-10
Root delay: 0.00655 ms
Root dispersion: 1.15869 ms
Reference time: d0c62687.ab1bba7d Wed, Dec 29 2010 21:28:39.668
The output shows that Device B has been synchronized to Device A, the clock stratum level of Device B is 3, and that of Device A is 2.
# Display IPv4 NTP association information for Device B.
[DeviceB] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[1245]1.0.1.11 127.127.1.0 2 1 64 519 -0.0 0.0065 0.0
Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured.
Total sessions : 1
The output shows that an association has been set up between Device B and Device A.
Configuration example for NTP broadcast mode with authentication
Network requirements
As shown in Figure 10, Switch C functions as the NTP server for multiple devices on different network segments and synchronizes the time among multiple devices. Switch A and Switch B authentication the reference source.
· Configure Switch C's local clock as a reference source, with the stratum level 3.
· Configure Switch C to operate in broadcast server mode and send out broadcast messages from VLAN-interface 2.
· Switch A and Switch B operate in broadcast client mode and receive broadcast messages through VLAN-interface 2.
· Enable NTP authentication on Switch A, Switch B, and Switch C.
Configuration procedure
1. Set the IP address for each interface as shown in Figure 10. (Details not shown.)
2. Configure Switch A:
# Enable the NTP service.
<SwitchA> system-view
[SwitchA] ntp-service enable
# Enable NTP authentication on Switch A. Configure an NTP authentication key, with the key ID of 88 and key value of 123456. Input the key in plain text, and specify it as a trusted key.
[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 88 authentication-mode md5 simple 123456
[SwitchA] ntp-service reliable authentication-keyid 88
# Configure Switch A to operate in NTP broadcast client mode and receive NTP broadcast messages on VLAN-interface 2.
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ntp-service broadcast-client
3. Configure Switch B:
# Enable the NTP service.
<SwitchB> system-view
[SwitchB] ntp-service enable
# Enable NTP authentication on Switch B. Configure an NTP authentication key, with the key ID of 88 and key value of 123456. Input the key in plain text and specify it as a trusted key.
[SwitchB] ntp-service authentication enable
[SwitchB] ntp-service authentication-keyid 88 authentication-mode md5 simple 123456
[SwitchB] ntp-service reliable authentication-keyid 88
# Configure Switch B to operate in broadcast client mode and receive NTP broadcast messages on VLAN-interface 2.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ntp-service broadcast-client
4. Configure Switch C:
# Enable the NTP service.
<SwitchC> system-view
[SwitchC] ntp-service enable
# Specify the local clock as the reference source, with the stratum level 3.
[SwitchC] ntp-service refclock-master 3
# Configure Switch C to operate in NTP broadcast server mode and use VLAN-interface 2 to send NTP broadcast packets.
[SwitchC] interface vlan-interface 2
[SwitchC-Vlan-interface2] ntp-service broadcast-server
[SwitchC-Vlan-interface2] quit
5. Verify the configuration:
# NTP authentication is enabled on Switch A and Switch B, but not on Switch C, so Switch A and Switch B cannot synchronize their local clocks to Switch C. Display the NTP service status on Switch B.
[SwitchB-Vlan-interface2] display ntp-service status
Clock status: unsynchronized
Clock stratum: 16
Reference clock ID: none
6. Enable NTP authentication on Switch C:
# Enable NTP authentication on Switch C. Configure an NTP authentication key, with the key ID of 88 and key value of 123456. Input the key in plain text, and specify it as a trusted key.
[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 88 authentication-mode md5 simple 123456
[SwitchC] ntp-service reliable authentication-keyid 88
# Specify Switch C as an NTP broadcast server, and associate the key 88 with Switch C.
[SwitchC] interface vlan-interface 2
[SwitchC-Vlan-interface2] ntp-service broadcast-server authentication-keyid 88
7. Verify the configuration:
# After NTP authentication is enabled on Switch C, Switch A and Switch B can synchronize their local clocks to Switch C. Display NTP service status on Switch B.
[SwitchB-Vlan-interface2] display ntp-service status
Clock status: synchronized
Clock stratum: 4
System peer: 3.0.1.31
Local mode: client
Reference clock ID: 3.0.1.31
Leap indicator: 00
Clock jitter: 0.006683 s
Stability: 0.000 pps
Clock precision: 2^-10
Root delay: 0.00127 ms
Root dispersion: 2.89877 ms
Reference time: d0d287a7.3119666f Sat, Jan 8 2011 6:50:15.191
The output shows that Switch B has been synchronized to Switch C, the clock stratum level of Switch B is 4, and that of Switch C is 3.
# Display IPv4 NTP association information for Switch B.
[SwitchB-Vlan-interface2] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[1245]3.0.1.31 127.127.1.0 3 3 64 68 -0.0 0.0000 0.0
Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured.
Total sessions : 1
The output shows that an association has been set up between Switch B and Switch C.
Configuration example for MPLS VPN time synchronization in client/server mode
Network requirements
As shown in Figure 11, two VPNs are present on PE 1 and PE 2: VPN 1 and VPN 2. CE 1 and CE 3 are devices in VPN 1. To synchronize the time between PE 2 and CE 1 in VPN 1, configure CE 1's local clock as a reference source, with the stratum level 2, configure PE 1 to operate in client/server mode, and specify VPN 1 as the target VPN.
Configuration procedure
Before you perform the following configuration, be sure you have completed MPLS VPN-related configurations and make sure of the reachability between CE 1 and PE 1, between PE 1 and PE 2, and between PE 2 and CE 3. For information about configuring MPLS VPN, see MPLS Configuration Guide.
1. Set the IP address for each interface as shown in Figure 11. (Details not shown.)
2. Configure CE 1:
# Enable the NTP service.
<CE1> system-view
[CE1] ntp-service enable
# Specify the local clock as the reference source, with the stratum level 2.
[CE1] ntp-service refclock-master 2
3. Configure PE 2:
# Enable the NTP service.
<PE2> system-view
[PE2] ntp-service enable
# Specify CE 1 in VPN 1 as the NTP server of PE 2.
[PE2] ntp-service unicast-server 10.1.1.1 vpn-instance vpn1
4. Verify the configuration:
# Display the IPv4 NTP association information and status on PE 2 a certain period of time later.
[PE2] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 10.1.1.1
Local mode: client
Reference clock ID: 10.1.1.1
Leap indicator: 00
Clock jitter: 0.005096 s
Stability: 0.000 pps
Clock precision: 2^-10
Root delay: 0.00655 ms
Root dispersion: 1.15869 ms
Reference time: d0c62687.ab1bba7d Wed, Dec 29 2010 21:28:39.668
[PE2] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[1245]10.1.1.1 127.127.1.0 2 1 64 519 -0.0 0.0065 0.0
Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured.
Total sessions : 1
[PE2] display ntp-service trace
Server 127.0.0.1
Stratum 3 , jitter 0.000, synch distance 796.50.
Server 10.1.1.1
Stratum 2 , jitter 939.00, synch distance 0.0000.
RefID 127.127.1.0
The output shows that PE 2 has been synchronized to CE 1, with the stratum level 3.
Configuration example for MPLS VPN time synchronization in symmetric active/passive mode
Network requirements
As shown in Figure 12, two VPNs are present on PE 1 and PE 2: VPN 1 and VPN 2. CE 1 and CE 3 belong to VPN 1. To synchronize the time between PE 1 and CE 1 in VPN 1, configure CE 1's local clock as a reference source, with the stratum level 2, configure CE 1 to operate in symmetric active mode, and specify VPN 1 as the target VPN.
Configuration procedure
1. Set the IP address for each interface as shown in Figure 12. (Details not shown.)
2. Configure CE 1:
# Enable the NTP service.
<CE1> system-view
[CE1] ntp-service enable
# Specify the local clock as the reference source, with the stratum level 2.
[CE1] ntp-service refclock-master 2
3. Configure PE 1:
# Enable the NTP service.
<PE1> system-view
[PE1] ntp-service enable
# Specify CE 1 in VPN 1 as the symmetric-passive peer of PE 1.
[PE1] ntp-service unicast-peer 10.1.1.1 vpn-instance vpn1
4. Verify the configuration:
# Display the IPv4 NTP association information and status on PE 1 a certain period of time later.
[PE1] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 10.1.1.1
Local mode: sym_active
Reference clock ID: 10.1.1.1
Leap indicator: 00
Clock jitter: 0.005096 s
Stability: 0.000 pps
Clock precision: 2^-10
Root delay: 0.00655 ms
Root dispersion: 1.15869 ms
Reference time: d0c62687.ab1bba7d Wed, Dec 29 2010 21:28:39.668
[PE1] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[1245]10.1.1.1 127.127.1.0 2 1 64 519 -0.0 0.0000 0.0
Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured.
Total sessions : 1
[PE1] display ntp-service trace
Server 127.0.0.1
Stratum 3 , jitter 0.000, synch distance 796.50.
Server 10.1.1.1
Stratum 2 , jitter 939.00, synch distance 0.0000.
RefID 127.127.1.0
The output shows that PE 1 has been synchronized to CE 1, with the stratum level 3.
SNTP is a simplified, client-only version of NTP specified in RFC 4330. SNTP supports only the client/server mode. An SNTP-enabled device can receive time from NTP servers, but cannot provide time services to other devices.
SNTP uses the same packet format and packet exchange procedure as NTP, but provides faster synchronization at the price of time accuracy.
If you specify multiple NTP servers for an SNTP client, the server with the best stratum is selected. If multiple servers are at the same stratum, the NTP server whose time packet is first received is selected.
Configuration restrictions and guidelines
· You cannot configure both NTP and SNTP on the same device.
· In MDC context, H3C recommends that you configure NTP or SNTP only on the management MDC. If you configure NTP or SNTP on multiple MDCs on the same device, problems such as frequent system time change and inconsistency between the system time and the time on the time server of the MDCs occur.
Configuration task list
|
Tasks at a glance |
|
(Required.) Enabling the SNTP service |
|
(Required.) Specifying an NTP server for the device |
|
(Optional.) Configuring SNTP authentication |
Enabling the SNTP service
The NTP service and SNTP service are mutually exclusive. You can only enable either NTP service or SNTP service at a time.
To enable the SNTP service:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the SNTP service. |
sntp enable |
By default, the SNTP service is not enabled. |
Specifying an NTP server for the device
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify an NTP server for the device. |
sntp unicast-server { ip-address | server-name } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | source interface-type interface-number | version number ] * |
By default, no NTP server is specified for the device. To use authentication, you must specify the authentication-keyid keyid option. |
To use an NTP server as the time source, make sure its clock has been synchronized. If the stratum level of the NTP server is greater than or equal to that of the client, the client does not synchronize with the NTP server.
Configuring SNTP authentication
SNTP authentication makes sure an SNTP client is synchronized only to an authenticated trustworthy NTP server.
To make sure SNTP authentication can work, follow these guidelines on configuring SNTP authentication:
· Enable authentication on both the NTP server and the SNTP client.
· Configure the SNTP client with the same authentication key ID and key value as the NTP server, and specify the key as a trusted key on both the NTP server and the SNTP client. For information about configuring NTP authentication on an NTP server, see "Configuring NTP."
· Associate the specified key with the specific NTP server on the SNTP client.
With authentication disabled, the SNTP client can synchronize with the NTP server regardless of whether the NTP server is enabled with authentication.
To configure SNTP authentication on the SNTP client:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable SNTP authentication. |
sntp authentication enable |
By default, SNTP authentication is disabled. |
|
3. Configure an SNTP authentication key. |
sntp authentication-keyid keyid authentication-mode md5 { cipher | simple } value |
By default, no SNTP authentication key is configured. |
|
4. Specify the key as a trusted key. |
sntp reliable authentication-keyid keyid |
By default, no trusted key is specified. |
|
5. Associate the SNTP authentication key with the specific NTP server. |
sntp unicast-server { ip-address | server-name } [ vpn-instance vpn-instance-name ] authentication-keyid keyid |
By default, no NTP server is specified. |
Displaying and maintaining SNTP
Execute display commands in any view.
|
Task |
Command |
|
Display information about all SNTP associations. |
display sntp sessions |
SNTP configuration example
Network requirements
Configure the local clock of Device A as a reference source, with the stratum level 2. Configure Device B to operate in SNTP client mode, and specify Device A as the NTP server. Configure NTP authentication on Device A and SNTP authentication on Device B.
Configuration procedure
1. Set the IP address for each interface as shown in Figure 13. (Details not shown.)
2. Configure Device A:
# Enable the NTP service.
<DeviceA> system-view
[DeviceA] ntp-service enable
# Configure the local clock of Device A as a reference source, with the stratum level 2.
[DeviceA] ntp-service refclock-master 2
# Enable NTP authentication on Device A.
[DeviceA] ntp-service authentication enable
# Configure an NTP authentication key, with the key ID of 10 and key value of aNiceKey. Input the key in plain text.
[DeviceA] ntp-service authentication-keyid 10 authentication-mode md5 simple aNiceKey
# Specify the key as a trusted key.
[DeviceA] ntp-service reliable authentication-keyid 10
3. Configure Device B:
# Enable the SNTP service.
<DeviceB> system-view
[DeviceB] sntp enable
# Enable SNTP authentication on Device B.
[DeviceB] sntp authentication enable
# Configure an SNTP authentication key, with the key ID of 10 and key value of aNiceKey. Input the key in plain text.
[DeviceB] sntp authentication-keyid 10 authentication-mode md5 simple aNiceKey
# Specify the key as a trusted key.
[DeviceB] sntp reliable authentication-keyid 10
# Specify Device A as the NTP server of Device B, and associate the server with key 10.
[DeviceB] sntp unicast-server 1.0.1.11 authentication-keyid 10
4. Verify the configuration:
# Display SNTP association information for Device B.
[DeviceB] display sntp sessions
NTP server Stratum Version Last receive time
1.0.1.11 2 4 Tue, May 17 2011 9:11:20.833 (Synced)
The output shows that an association has been established between Device B and Device A, and Device B has been synchronized to Device A.
