Contents

Configuring NTP· 1

Overview·· 1

NTP application· 1

NTP advantages· 1

How NTP works· 1

NTP message format 2

NTP operation modes· 4

NTP configuration task list 6

Configuring NTP operation modes· 6

Configuring NTP client/server mode· 7

Configuring the NTP symmetric peers mode· 7

Configuring NTP broadcast mode· 8

Configuring NTP multicast mode· 8

Configuring the local clock as a reference source· 9

Configuring optional parameters for NTP· 9

Specifying the source interface for NTP messages· 9

Disabling an interface from receiving NTP messages· 10

Configuring the allowed maximum number of dynamic associations· 10

Configuring access-control rights· 11

Configuration prerequisites· 11

Configuration procedure· 11

Configuring NTP authentication· 12

Configuring NTP authentication in client/server mode· 12

Configuring NTP authentication in symmetric peers mode· 13

Configuring NTP authentication in broadcast mode· 14

Configuring NTP authentication in multicast mode· 15

Displaying and maintaining NTP· 16

NTP client/server mode configuration example· 16

NTP symmetric peers mode configuration example· 18

NTP broadcast mode configuration example· 19

NTP multicast mode configuration example· 21

Configuration example for NTP client/server mode with authentication· 23

Configuration example for NTP broadcast mode with authentication· 25

 

Configuring NTP

You must synchronize your device with a trusted time source either by using the Network Time Protocol (NTP), or changing the system time before you use the device on a live network.  Because the timestamps of system messages and logs use the system time, tasks, such as network management, charging, auditing, and distributed computing depend on an accurate system time setting.

Overview

NTP is typically used in large networks to dynamically synchronize time among network devices. It guarantees higher clock accuracy than manual system clock setting. In a small network that does not require high clock accuracy, you can keep time synchronized among devices by changing their system clocks one at a time.

NTP runs over UDP and uses UDP port 123.

NTP application

NTP allows quick clock synchronization within the entire network and ensures a high clock precision.

NTP is used when all devices within the network must have consistent timekeeping, for example:

·     Time must be used as reference basis for analysis of the log information and debugging information collected from different devices in network management.

·     All devices must use the same reference clock in a charging system.

·     To implement certain functions, such as scheduled restart of all devices within the network, all devices must be consistent in timekeeping.

·     When multiple systems process a complex event in cooperation, these systems must use the same reference clock to ensure the correct execution sequence.

·     For incremental backup between a backup server and clients, timekeeping must be synchronized between the backup server and all the clients.

NTP advantages

·     NTP uses a stratum to describe clock precision, and it can synchronize time among all devices within the network.

·     NTP supports access control and MD5 authentication.

·     NTP can unicast, multicast or broadcast protocol messages.

How NTP works

Figure 1 shows how NTP synchronizes the system time between two devices: Device A and Device B. In this example:

·     Prior to the time synchronization, the time of Device A is set to 10:00:00 am and Device B is set to 11:00:00 am.

·     Device B is used as the NTP server. Device A is to be synchronized to Device B.

·     It takes 1 second for an NTP message to travel from Device A to Device B, and from Device B to Device A.

Figure 1 Basic work flow of NTP

 

The synchronization process is as follows:

1.     Device A sends Device B an NTP message, which is timestamped when it leaves Device A. The timestamp is 10:00:00 am (T1).

2.     When this NTP message arrives at Device B, it is timestamped by Device B. The timestamp is 11:00:01 am (T2).

3.     When the NTP message leaves Device B, Device B timestamps it. The timestamp is 11:00:02 am (T3).

4.     When Device A receives the NTP message, the local time of Device A is 10:00:03 am (T4).

Device A calculates the following parameters based on the timestamps:

·     Roundtrip delay of an NTP message: Delay = (T4–T1) – (T3-T2) = 2 seconds.

·     Time difference between Device A and Device B: Offset = ((T2-T1) + (T3-T4))/2 = 1 hour.

Based on these parameters, Device A synchronizes its own clock to the clock of Device B.

For more information, see RFC 1305.

NTP message format

All NTP messages in this document refer to NTP clock synchronization messages.

NTP uses two types of messages: clock synchronization messages and NTP control messages. NTP control messages are used in environments where network management is needed. Because NTP control messages are not essential for clock synchronization, they are not described in this document.

A clock synchronization message is encapsulated in a UDP message, as shown in Figure 2.

Figure 2 Clock synchronization message format

 

The fields are described as follows:

·     LI (Leap Indicator)—A 2-bit leap indicator. If set to 11, it warns of an alarm condition (clock unsynchronized). If set to any other value, it will not be processed by NTP.

·     VN (Version Number)—A 3-bit version number that indicates the version of NTP. The latest version is version 4.

·     Mode—A 3-bit code that indicates the work mode of NTP. This field can be set to these values:

¡     0—Reserved

¡     1—Symmetric active

¡     2—Symmetric passive

¡     3—Client

¡     4—Server

¡     5—Broadcast or multicast

¡     6—NTP control message

¡     7—Reserved for private use

·     Stratum—An 8-bit integer that indicates the stratum level of the local clock, in the range of 1 to 16. Clock precision decreases from stratum 1 through stratum 16. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized.

·     Poll—An 8-bit signed integer that indicates the maximum interval between successive messages, which is called the poll interval.

·     Precision—An 8-bit signed integer that indicates the precision of the local clock.

·     Root Delay—Roundtrip delay to the primary reference source.

·     Root Dispersion—The maximum error of the local clock relative to the primary reference source.

·     Reference Identifier—Identifier of the particular reference source.

·     Reference Timestamp—The local time at which the local clock was most recently set or corrected.

·     Originate Timestamp—The local time at which the request departed from the client for the service host.

·     Receive Timestamp—The local time at which the request arrived at the service host.

·     Transmit Timestamp—The local time at which the reply departed from the service host for the client.

·     Authenticator—Authentication information.

NTP operation modes

Devices that run NTP can implement clock synchronization in one of the following modes:

·     Client/server mode

·     Symmetric peers mode

·     Broadcast mode

·     Multicast mode

You can select operation modes of NTP as needed. If the IP address of the NTP server or peer is unknown and many devices in the network need to be synchronized, you can adopt the broadcast or multicast mode. In client/server or symmetric peers mode, a device is synchronized from the specified server or peer, and clock reliability is enhanced.

Client/server mode

Figure 3 Client/server mode

 

When operating in client/server mode, a client sends a clock synchronization message to servers with the Mode field in the message set to 3 (client mode). Upon receiving the message, the servers automatically operate in server mode and send a reply, with the Mode field in the messages set to 4 (server mode). Upon receiving the replies from the servers, the client performs clock filtering and selection and synchronizes its local clock to that of the optimal reference source.

In client/server mode, a client can be synchronized to a server, but not vice versa.

Symmetric peers mode

Figure 4 Symmetric peers mode

 

In symmetric peers mode, devices that operate in symmetric active mode and symmetric passive mode exchange NTP messages with the Mode field 3 (client mode) and 4 (server mode). The device that operates in symmetric active mode periodically sends clock synchronization messages, with the Mode field in the messages set to 1 (symmetric active). The device that receives the messages automatically enters symmetric passive mode and sends a reply, with the Mode field in the message set to 2 (symmetric passive). This exchange of messages establishes symmetric peers mode between the two devices, so the two devices can synchronize, or be synchronized by, each other. If the clocks of both devices have been synchronized, the device whose local clock has a lower stratum level synchronizes the clock of the other device.

Broadcast mode

Figure 5 Broadcast mode

 

In broadcast mode, the server periodically sends clock synchronization messages to broadcast address 255.255.255.255, with the Mode field in the messages set to 5 (broadcast mode). When a client receives the first broadcast message, the client and the server begin to exchange messages with the Mode field set to 3 (client mode) and 4 (server mode), to calculate the network delay between them. When the calculation is finished, the client enters broadcast client mode and receives broadcast messages for synchronizing its local clock.

Multicast mode

Figure 6 Multicast mode

 

In multicast mode, the server periodically sends clock synchronization messages to the user-configured multicast address, with the Mode field set to 5 (multicast mode). If no multicast address is configured, the server sends messages to the default NTP multicast address 224.0.1.1. When a client receives the first multicast message, the client and the server begin to exchange messages with the Mode field set to 3 (client mode) and 4 (server mode), to calculate the network delay between them. When the calculation is finished, the client enters multicast client mode and receives multicast messages for synchronizing its local clock.

In symmetric peers mode, broadcast mode and multicast mode, the client (or the symmetric active peer) and the server (the symmetric passive peer) can operate in the specified NTP working mode only after they exchange NTP messages with the Mode field being 3 (client mode) and the Mode field being 4 (server mode). During this message exchange process, NTP clock synchronization can be implemented.

NTP configuration task list

Task	Remarks
Configuring NTP operation modes	Required.
Configuring the local clock as a reference source	Optional.
Configuring optional parameters for NTP	Optional.
Configuring access-control rights	Optional.
Configuring NTP authentication	Optional.

 

Configuring NTP operation modes

Devices can implement clock synchronization in one of the following modes:

·     Client/server mode—Configure only clients.

·     Symmetric mode—Configure only symmetric-active peers.

·     Broadcast mode—Configure both clients and servers.

·     Multicast mode—Configure both clients and servers.

Configuring NTP client/server mode

If you specify the source interface for NTP messages by specifying the source interface source-interface option, NTP uses the primary IP address of the specified interface as the source IP address of the NTP messages.

A device can act as a server to synchronize other devices only after it is synchronized. If a server has a stratum level higher than or equal to a client, the client does not synchronize to that server.

To specify an NTP server on the client:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Specify an NTP server for the device.	ntp-service unicast-server { ip-address | server-name } [ authentication-keyid keyid | priority | source-interface interface-type interface-number | version number ] *	By default, no NTP server is specified. The ip-address argument must be a unicast address. It cannot be a broadcast address, a multicast address or the IP address of the local clock. You can configure multiple servers by repeating the command. The clients will select the optimal reference source.

 

Configuring the NTP symmetric peers mode

Follow these guidelines when you configure the NTP symmetric peers mode:

·     For devices operating in symmetric mode, specify a symmetric-passive peer on a symmetric-active peer.

·     Use the ntp-service refclock-master command or any NTP configuration command in Configuring NTP operation modes to enable NTP. Otherwise, a symmetric-passive peer does not process NTP messages from a symmetric-active peer.

·     Either the symmetric-active peer or the symmetric-passive peer must be in synchronized state. Otherwise, clock synchronization does not proceed.

·     After you specify the source interface for NTP messages by specifying the source interface source-interface option, the source IP address of the NTP messages is set as the primary IP address of the specified interface.

To specify a symmetric-passive peer on the active peer:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Specify a symmetric-passive peer for the device.	ntp-service unicast-peer { ip-address | peer-name } [ authentication-keyid keyid | priority | source-interface interface-type interface-number | version number ] *	By default, no symmetric-passive peer is specified. You can configure multiple symmetric-passive peers by repeating the command. The ip-address argument must be a unicast address. It cannot be a broadcast address, a multicast address, or the IP address of the local clock.

 

Configuring NTP broadcast mode

The broadcast server periodically sends NTP broadcast messages to the broadcast address 255.255.255.255. After receiving the messages, the device operating in NTP broadcast client mode sends a reply and synchronizes its local clock.

Configure the NTP broadcast mode on both the server and clients. The NTP broadcast mode can only be configured in a specific interface view because an interface needs to be specified on the broadcast server for sending NTP broadcast messages and on each broadcast client for receiving broadcast messages.

Configuring a broadcast client

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter interface view.	interface interface-type interface-number	This command enters the view of the interface for sending NTP broadcast messages.
3.     Configure the device to operate in NTP broadcast client mode.	ntp-service broadcast-client	N/A

 

Configuring the broadcast server

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter interface view.	interface interface-type interface-number	This command enters the view of the interface for sending NTP broadcast messages.
3.     Configure the device to operate in NTP broadcast server mode.	ntp-service broadcast-server [ authentication-keyid keyid | version number ] *	A broadcast server can synchronize broadcast clients only when its clock has been synchronized.

 

Configuring NTP multicast mode

The multicast server periodically sends NTP multicast messages to multicast clients, which send replies after receiving the messages and synchronize their local clocks.

Configure the NTP multicast mode on both the server and clients. The NTP multicast mode must be configured in a specific interface view.

Configuring a multicast client

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter interface view.	interface interface-type interface-number	This command enters the view of the interface for sending NTP multicast messages.
3.     Configure the device to operate in NTP multicast client mode.	ntp-service multicast-client [ ip-address ]	You can configure up to 1024 multicast clients, of which 128 can take effect at the same time.

 

Configuring the multicast server

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter interface view.	interface interface-type interface-number	This command enters the view of the interface for sending NTP multicast messages.
3.     Configure the device to operate in NTP multicast server mode.	ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | ttl ttl-number | version number ] *	A multicast server can synchronize broadcast clients only when its clock has been synchronized.

 

Configuring the local clock as a reference source

Perform this configuration with caution to avoid clock errors in the network.

Use one of the following methods to synchronize a network device's clock:

·     Synchronized to the local clock, which operates as the reference source.

·     Synchronized to another device on the network in any of the four NTP operation modes: client/server, symmetric, broadcast, or multicast.

If you configure two synchronization modes, the device selects the optimal clock as the reference source.

Typically, the stratum level of the NTP server that is synchronized from an authoritative clock (such as an atomic clock) is set to 1. This NTP server operates as the primary reference source on the network, and other devices synchronize to it. The number of NTP hops between a device and the primary reference source determines the stratum level of the device.

If you configure the local clock as a reference clock, the local device can act as a reference clock to synchronize other devices in the network.

To configure the local clock as a reference source:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Configure the local clock as a reference source.	ntp-service refclock-master [ ip-address ] [ stratum ]	The value of the ip-address argument must be 127.127.1.u, where u ranges from 0 to 3, representing the NTP process ID.

 

Configuring optional parameters for NTP

This section explains how to configure the optional parameters of NTP.

Specifying the source interface for NTP messages

If you specify the source interface for NTP messages, the device sets the source IP address of the NTP messages as the primary IP address of the specified interface when sending the NTP messages. To avoid NTP packet loss because of interface down events, H3C recommends specifying a loopback interface as the source interface.

When the device responds to an NTP request received, the source IP address of the NTP response is always the destination IP address of the NTP request.

Configuration guidelines

·     The source interface for NTP unicast messages is the interface specified in the ntp-service unicast-server or ntp-service unicast-peer command.

·     The source interface for NTP broadcast or multicast messages is the interface where you configure the ntp-service broadcast-server or ntp-service multicast-server command.

Configuration procedure

To specify the source interface for NTP messages:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Specify the source interface for NTP messages.	ntp-service source-interface interface-type interface-number	By default, no source interface is specified for NTP messages, and the system uses the IP address of the interface determined by the matching route as the source IP address of NTP messages.

 

Disabling an interface from receiving NTP messages

If NTP is enabled, NTP messages can be received from all the interfaces by default.

To disable an interface from receiving NTP messages:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter interface view.	interface interface-type interface-number	N/A
3.     Disable the interface from receiving NTP messages.	ntp-service in-interface disable	By default, an interface is enabled to receive NTP messages.

 

Configuring the allowed maximum number of dynamic associations

Except for the server in client/server operation mode, all NTP devices set up an association to communicate with one another.

NTP has the following types of associations:

·     Static association—Association that is created in response to a manual NTP command configuration. A static association is removed when the command that triggered the creation of the association is undone.

·     Dynamic association—Association that is created in response to an NTP message exchange. A dynamic association is removed if no messages are exchanged over a specific period of time.

All static and dynamic associations are created automatically.

The following describes how an association is established in different operation modes:

·     Client/server mode—When the NTP server is specified on the client, the client creates a static association with the server and sends an NTP message to the server. The server responds to the client, but it does not create an association with the client.

·     Symmetric active/passive mode—The symmetric-active peer creates a static association when you specify a symmetric-passive peer on it. When receiving an NTP message from the symmetric-active peer, the symmetric-passive peer creates a dynamic association.

·     Broadcast or multicast mode—When you enable a broadcast or multicast server, a static association is created. When receiving an NTP message from the server, the clients creates a dynamic association

The device supports a maximum of 128 concurrent associations, including static associations and dynamic associations.

To configure the maximum number of dynamic associations:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Configure the maximum number of dynamic associations.	ntp-service max-dynamic-sessions number	The default is 100.

 

Configuring access-control rights

NTP service access-control rights are peer, server, synchronization, and query, from highest to lowest. When the device receives an NTP message, it performs an access-control right match and uses the first matching right to process the message. If no matching right is found, the device drops the NTP message.

·     Query—Control query permitted. This level of right permits a remote NTP device to get NTP-related information (such as NTP states, authentication status, and clock sources) from the local device, but it prevents the local device from becoming a synchronization source of the remote NTP device.

·     Synchronization—Server access only. This level of right permits a remote device to use the local device as a synchronization source, but it does not permit the remote device to perform control query.

·     Server—Server access and query permitted. This level of right permits a remote device to use the local device as a synchronization source and perform control query, but it does not permit synchronization by the remote device.

·     Peer—Full access. This level of right permits a remote device to use the local device as a synchronization source and perform control query, and it also permits the local device to use the remote device as a synchronization source.

The access-control right mechanism provides only a minimum level of security protection for a system running NTP. Identity authentication is more secure.

Configuration prerequisites

Before you configure the NTP service access-control right to the local device, create and configure an ACL associated with the access-control right. For more information about ACLs, see ACL and QoS Configuration Guide.

Configuration procedure

To configure the NTP service access-control right to the local device:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Configure the NTP service access-control right for a peer device to access the local device.	ntp-service access { peer | query | server | synchronization } acl-number	The default is peer.

 

Configuring NTP authentication

Enable NTP authentication for NTP devices in an insecure network. NTP authentication enhances network security by using client-server key authentication, which prohibits a client from synchronizing with a device that fails authentication.

To configure NTP authentication, the following tasks are required:

·     Enable NTP authentication.

·     Configure an authentication key.

·     Configure the key as a trusted key.

·     Associate the specified key with an NTP server or a symmetric peer.

Configuring NTP authentication in client/server mode

When configuring NTP authentication in client/server mode, follow these guidelines:

·     A client can synchronize to the server only when you configure all the required tasks on both the client and server.

·     If NTP authentication is not enabled on the client or no key is specified to associate with the NTP server, the client is not authenticated. Clock synchronization between server and client can be performed whether or not NTP authentication is enabled on the server.

·     If NTP authentication is enabled on the client and a key is specified to associate with the NTP server, but the key is not a trusted key, the client does not synchronize to the server, whether or not NTP authentication is enabled on the server.

Configuring NTP authentication for a client

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enable NTP authentication.	ntp-service authentication enable	By default, NTP authentication is disabled.
3.     Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value [ acl ipv4-acl-number ] *	By default, no NTP authentication key is configured. Configure the same authentication key on the client and server.
4.     Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	By default, no authentication key is configured to be trusted.
5.     Associate the specified key with an NTP server.	ntp-service unicast-server { ip-address | server-name } authentication-keyid keyid	You can associate a non-existing key with an NTP server. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the NTP server.

 

Configuring NTP authentication for a server

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enable NTP authentication.	ntp-service authentication enable	By default, NTP authentication is disabled.
3.     Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value [ acl ipv4-acl-number ] *	By default, no NTP authentication key is configured. Configure the same authentication key on the client and server.
4.     Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	By default, no authentication key is configured to be trusted.

 

Configuring NTP authentication in symmetric peers mode

Follow these instructions to configure NTP authentication in symmetric peers mode:

·     An active symmetric peer can synchronize to the passive symmetric peer only when you configure all the required tasks on both the active symmetric peer and passive symmetric peer.

·     When the active peer has a greater stratum level than the passive peer:

¡     If NTP authentication is not enabled on the active peer or no key is specified to associate with the passive peer, the active peer synchronizes to the passive peer as long as NTP authentication is disabled on the passive peer.

¡     If NTP authentication is enabled on the active peer and a key is associated with the passive peer, but the key is not a trusted key, the active peer does not synchronize to the passive peer, whether or not NTP authentication is enabled on the passive peer.

·     When the active peer has a smaller stratum level than the passive peer:

If NTP authentication is not enabled on the active peer, no key is specified to associate with the passive peer, or the key is not a trusted key, the active peer can synchronize to the passive peer as long as NTP authentication is disabled on the passive peer.

Configuring NTP authentication for an active peer

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enable NTP authentication.	ntp-service authentication enable	By default, NTP authentication is disabled.
3.     Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value [ acl ipv4-acl-number ] *	By default, no NTP authentication key is configured. Configure the same authentication key on the active symmetric peer and passive symmetric peer.
4.     Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	By default, no authentication key is configured to be trusted.
5.     Associate the specified key with the passive peer.	ntp-service unicast-peer { ip-address | peer-name } authentication-keyid keyid	You can associate a non-existing key with a passive peer. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the passive peer.

 

Configuring NTP authentication for a passive peer

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enable NTP authentication.	ntp-service authentication enable	By default, NTP authentication is disabled.
3.     Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value [ acl ipv4-acl-number ] *	By default, no NTP authentication key is configured. Configure the same authentication key on the active symmetric peer and passive symmetric peer.
4.     Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	By default, no authentication key is configured to be trusted.

 

Configuring NTP authentication in broadcast mode

When configuring NTP authentication in broadcast mode, follow these guidelines:

·     A broadcast client can synchronize to the broadcast server only when you configure all the required tasks on both the broadcast client and server.

·     If NTP authentication is not enabled on the client, the broadcast client can synchronize to the broadcast server, whether or not NTP authentication is enabled on the server.

Configuring NTP authentication for a broadcast client

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enable NTP authentication.	ntp-service authentication enable	By default, NTP authentication is disabled.
3.     Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value [ acl ipv4-acl-number ] *	By default, no NTP authentication key is configured. Configure the same authentication key on the client and server.
4.     Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	By default, no authentication key is configured to be trusted.

 

Configuring NTP authentication for a broadcast server

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enable NTP authentication.	ntp-service authentication enable	By default, NTP authentication is disabled.
3.     Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value [ acl ipv4-acl-number ] *	By default, no NTP authentication key is configured. Configure the same authentication key on the client and server.
4.     Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	By default, no authentication key is configured to be trusted.
5.     Enter interface view.	interface interface-type interface-number	N/A
6.     Associate the specified key with the broadcast server.	ntp-service broadcast-server authentication-keyid keyid	You can associate a non-existing key with the broadcast server. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the broadcast server.

 

Configuring NTP authentication in multicast mode

When configuring NTP authentication in multicast mode, follow these guidelines:

·     A multicast client can synchronize to the multicast server only when you configure all the required tasks on both the multicast client and server.

·     If NTP authentication is not enabled on the client, the multicast client can synchronize to the multicast server, whether or not NTP authentication is enabled on the server.

Configuring NTP authentication for a multicast client

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enable NTP authentication.	ntp-service authentication enable	By default, NTP authentication is disabled.
3.     Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value [ acl ipv4-acl-number ] *	By default, no NTP authentication key is configured. Configure the same authentication key on the client and server.
4.     Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	By default, no authentication key is configured to be trusted.

 

Configuring NTP authentication for a multicast server

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enable NTP authentication.	ntp-service authentication enable	By default, NTP authentication is disabled.
3.     Configure an NTP authentication key.	ntp-service authentication-keyid keyid authentication-mode md5 [ cipher | simple ] value [ acl ipv4-acl-number ] *	By default, no NTP authentication key is configured. Configure the same authentication key on the client and server.
4.     Configure the key as a trusted key.	ntp-service reliable authentication-keyid keyid	By default, no authentication key is configured to be trusted.
5.     Enter interface view.	interface interface-type interface-number	N/A
6.     Associate the specified key with the multicast server.	ntp-service multicast-server authentication-keyid keyid	You can associate a non-existing key with the multicast server. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the multicast server.

 

Displaying and maintaining NTP

Task	Command	Remarks
Display information about NTP service status.	display ntp-service status [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display information about NTP associations.	display ntp-service sessions [ verbose ] [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display brief information about the NTP servers from the local device back to the primary reference source.	display ntp-service trace [ | { begin | exclude | include } regular-expression ]	Available in any view.

 

NTP client/server mode configuration example

Network requirements

Configure NTP to synchronize the time between the switch and the AC in Figure 7:

·     Use the local clock of the switch as a reference source, with the stratum level 2.

·     Set the AC in client/server mode, and use the switch as the NTP server of the AC.

Figure 7 Network diagram

 

Configuration procedure

1.     Set the IP address for each interface as shown in Figure 7. (Details not shown.)

2.     Configure the switch:

# Specify the local clock as the reference source, with the stratum level 2.

<Switch> system-view

[Switch] ntp-service refclock-master 2

3.     Configure the AC:

# Display the NTP status of the AC before clock synchronization.

<AC> display ntp-service status

 Clock status: unsynchronized

 Clock stratum: 16

 Reference clock ID: none

 Nominal frequency: 100.0000 Hz

 Actual frequency: 100.0000 Hz

 Clock precision: 2^17

 Clock offset: 0.0000 ms

 Root delay: 0.00 ms

 Root dispersion: 0.00 ms

 Peer dispersion: 0.00 ms

 Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000)

# Specify the switch as the NTP server of the AC so that the AC is synchronized to the switch.

<AC> system-view

[AC] ntp-service unicast-server 1.0.1.11

# Display the NTP status of the AC after clock synchronization.

[AC] display ntp-service status

 Clock status: synchronized

 Clock stratum: 3

 Reference clock ID: 1.0.1.11

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 1.05 ms

 Peer dispersion: 7.81 ms

 Reference time: 14:53:27.371 UTC Sep 19 2005 (C6D94F67.5EF9DB22)

The output shows that the AC has synchronized to the switch, and the clock stratum level is 3 on the AC and 2 on the switch.

# Display NTP association information for the AC, which shows that an association has been set up between the AC and the switch.

[AC] display ntp-service sessions

      source      reference   stra  reach  poll  now  offset  delay  disper

**************************************************************************

[12345] 1.0.1.11  127.127.1.0    2    63    64    3    -75.5    31.0  16.5

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

NTP symmetric peers mode configuration example

Network requirements

Configure NTP to synchronize time among the devices in Figure 8:

·     Use the local clock of the switch as a reference source, with the stratum level 2.

·     Place AC 1 in client mode and use the switch as the NTP server of AC 1.

·     Place AC 2 in symmetric-active mode and configure AC 1 as the peer of AC 2.

Figure 8 Network diagram

 

Configuration procedure

1.     Set the IP address for each interface as shown in Figure 8. (Details not shown.)

2.     Configure the switch:

# Specify the local clock as the reference source, with the stratum level 2.

<Switch> system-view

[Switch] ntp-service refclock-master 2

3.     Configure AC 1:

# Specify the switch as the NTP server of AC 1.

<AC1> system-view

[AC1] ntp-service unicast-server 3.0.1.31

4.     Configure AC 2 (after AC 1 is synchronized to the switch):

# Specify the local clock as the reference source, with the stratum level 1.

<AC2> system-view

[AC2] ntp-service refclock-master 1

# Configure AC 1 as a symmetric peer after local synchronization.

[AC2] ntp-service unicast-peer 3.0.1.32

The output shows that AC 1 and AC 2 are configured as symmetric peers, with AC 2 in the symmetric-active mode and AC 1 in the symmetric-passive mode. Because the stratum level of AC 2 is 1 while that of AC 1 is 3, AC 1 synchronizes to AC 2.

# Display the NTP status of AC 1 after clock synchronization.

[AC1] display ntp-service status

 Clock status: synchronized

 Clock stratum: 2

 Reference clock ID: 3.0.1.33

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: -21.1982 ms

 Root delay: 15.00 ms

 Root dispersion: 775.15 ms

 Peer dispersion: 34.29 ms

 Reference time: 15:22:47.083 UTC Sep 19 2005 (C6D95647.153F7CED)

The output shows that AC 1 has synchronized to AC 2, and the clock stratum level is 2 on AC 1 and 1 on AC 2.

# Display NTP association information for AC 1, which shows that an association has been set up between AC 1 and AC 2.

[AC1] display ntp-service sessions

       source     reference   stra  reach  poll  now   offset delay  disper

**************************************************************************

[245] 3.0.1.31  127.127.1.0    2    15    64   24   10535.0  19.6   14.5

[1234] 3.0.1.33   LOCL          1    14    64   27    -77.0   16.0   14.8

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  2

NTP broadcast mode configuration example

Network requirements

As shown in Figure 9, AC 2 functions as the NTP server for multiple devices on a network segment and synchronizes the time among multiple devices, as follows:

·     AC 2's local clock is to be used as a reference source, with the stratum level 2.

·     AC 2 operates in broadcast server mode and sends out broadcast messages from VLAN-interface 2.

·     AC 1 and AC 3 operate in broadcast client mode, and receive broadcast messages through VLAN-interface 3 and VLAN-interface 2, respectively.

Figure 9 Network diagram

 

Configuration procedure

1.     Set the IP address for each interface as shown in Figure 9. (Details not shown.)

2.     Configure AC 2:

# Specify the local clock as the reference source, with the stratum level 2.

<AC2> system-view

[AC2] ntp-service refclock-master 2

# Configure AC 2 to operate in broadcast server mode and send broadcast messages through VLAN-interface 2.

[AC2] interface vlan-interface 2

[AC2-Vlan-interface2] ntp-service broadcast-server

3.     Configure AC 3:

# Configure AC 3 to operate in broadcast client mode and receive broadcast messages on VLAN-interface 2.

<AC3> system-view

[AC3] interface vlan-interface 2

[AC3-Vlan-interface2] ntp-service broadcast-client

4.     Configure AC 1:

# Configure AC 1 to operate in broadcast client mode and receive broadcast messages on VLAN-interface 3.

<AC1> system-view

[AC1] interface vlan-interface 3

[AC1-Vlan-interface3] ntp-service broadcast-client

AC 1 cannot receive broadcast messages from AC 2, because AC 1 and AC 2 are on different network segments. AC 3 is synchronized upon receiving a broadcast message from AC 2.

# Take AC 3 as an example. Display the NTP status of AC 3 after clock synchronization.

[AC3-Vlan-interface2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 3

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 8.31 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

The output shows that AC 3 has synchronized to AC 2, and the clock stratum level is 3 on AC 3 and 2 on AC 2.

# Display NTP association information for AC 3, which shows that an association has been set up between AC 3 and AC 2.

[AC3-Vlan-interface2] display ntp-service sessions

      source    reference   stra  reach  poll  now  offset  delay  disper

**************************************************************************

[1234] 3.0.1.31  127.127.1.0   2   254     64    62   -16.0    32.0   16.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

NTP multicast mode configuration example

Network requirements

As shown in Figure 10, AC 2 functions as the NTP server for multiple devices on different network segments and synchronizes the time among multiple devices, as follows:

·     AC 2's local clock is to be used as a reference source, with the stratum level 2.

·     AC 2 operates in multicast server mode and sends out multicast messages from VLAN-interface 2.

·     AC 1 and AC 3 operate in multicast client mode and receive multicast messages through VLAN-interface 3 and VLAN-interface 2, respectively.

Figure 10 Network diagram

 

Configuration procedure

1.     Set the IP address for each interface as shown in Figure 10. (Details not shown.)

2.     Configure AC 2:

# Specify the local clock as the reference source, with the stratum level 2.

<AC2> system-view

[AC2] ntp-service refclock-master 2

# Configure AC 2 to operate in multicast server mode and send multicast messages through VLAN-interface 2.

[AC2] interface vlan-interface 2

[AC2-Vlan-interface2] ntp-service multicast-server

3.     Configure AC 3:

# Configure AC 3 to operate in multicast client mode and receive multicast messages on VLAN-interface 2.

<AC3> system-view

[AC3] interface vlan-interface 2

[AC3-Vlan-interface2] ntp-service multicast-client

Because AC 3 and AC 2 are on the same subnet, AC 3 can receive the multicast messages from AC 2 without being enabled with the multicast functions and can synchronize to AC 2.

# Display the NTP status of AC 3 after clock synchronization.

[AC3-Vlan-interface2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 3

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 8.31 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

The output shows that AC 3 has synchronized to AC 2, and the clock stratum level is 3 on AC 3 and 2 on AC 2.

# Display NTP association information for AC 3, which shows that an association has been set up between AC 3 and AC 2.

[AC3-Vlan-interface2] display ntp-service sessions

      source    reference   stra  reach  poll  now  offset  delay  disper

**************************************************************************

[1234] 3.0.1.31  127.127.1.0   2   254     64    62   -16.0    31.0   16.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

4.     Configure the switch:

Because AC 1 and AC 2 are on different subnets, you must enable multicast functions on the switch before AC 1 can receive multicast messages from AC 2.

# Enable IP multicast routing and IGMP.

<Switch> system-view

[Switch] multicast routing-enable

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] pim dm

[Switch-Vlan-interface2] quit

[Switch] vlan 3

[Switch-vlan3] port gigabitethernet 1/0/1

[Switch-vlan3] quit

[Switch] interface vlan-interface 3

[Switch-Vlan-interface3] igmp enable

[Switch-Vlan-interface3] quit

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] igmp-snooping static-group 224.0.1.1 vlan 3

5.     Configure AC 1:

<AC1> system-view

[AC1] interface vlan-interface 3

# Configure AC 1 to operate in multicast client mode and receive multicast messages on VLAN-interface 3.

[AC1-Vlan-interface3] ntp-service multicast-client

# Display the NTP status of AC 1 after clock synchronization.

[AC1-Vlan-interface3] display ntp-service status

 Clock status: synchronized

 Clock stratum: 3

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 40.00 ms

 Root dispersion: 10.83 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:02:49.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

The output shows that AC 1 has synchronized to AC 2, and the clock stratum level is 3 on AC 1 and 2 on AC 2.

# Display NTP association information for AC 1, which shows that an association has been set up between AC 1 and AC 2.

[AC1-Vlan-interface3] display ntp-service sessions

      source    reference   stra  reach  poll  now  offset  delay  disper

**************************************************************************

[1234] 3.0.1.31  127.127.1.0    2   255     64    26   -16.0    40.0   16.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

Configuration example for NTP client/server mode with authentication

Network requirements

As shown in Figure 11, perform the following configurations to synchronize the time between the switch and the AC and ensure network security, as follows:

·     Configure the local clock of the switch as a reference source, with the stratum level 2.

·     Configure the AC to operate in client mode and the switch to be the NTP server of the AC.

·     Enable NTP authentication on both the switch and the AC.

Figure 11 Network diagram

 

Configuration procedure

1.     Set the IP address for each interface as shown in Figure 11. (Details not shown.)

2.     Configure the switch:

# Specify the local clock as the reference source, with the stratum level 2.

<Switch> system-view

[Switch] ntp-service refclock-master 2

3.     Configure the AC:

<AC> system-view

# Enable NTP authentication on the AC.

[AC] ntp-service authentication enable

# Set an authentication key.

[AC] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey

# Specify the key as a trusted key.

[AC] ntp-service reliable authentication-keyid 42

# Specify the switch as the NTP server of the AC.

[AC] ntp-service unicast-server 1.0.1.11 authentication-keyid 42

Before AC can synchronize its clock to the switch, enable NTP authentication for the switch.

Perform the following configurations on the switch:

# Enable NTP authentication.

[Switch] ntp-service authentication enable

# Set an authentication key.

[Switch] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey

# Specify the key as a trusted key.

[Switch] ntp-service reliable authentication-keyid 42

# Display the NTP status of the AC after clock synchronization.

[AC] display ntp-service status

 Clock status: synchronized

 Clock stratum: 3

 Reference clock ID: 1.0.1.11

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 1.05 ms

 Peer dispersion: 7.81 ms

 Reference time: 14:53:27.371 UTC Sep 19 2005 (C6D94F67.5EF9DB22)

The output shows that the AC has synchronized to the switch, and the clock stratum level is 3 on the AC and 2 on the switch.

# Display NTP association information for the AC, which shows that an association has been set up between the AC and the switch.

[AC] display ntp-service sessions

      source      reference   stra  reach  poll  now  offset  delay  disper

**************************************************************************

[12345] 1.0.1.11  127.127.1.0    2    63    64    3    -75.5    31.0  16.5

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

Configuration example for NTP broadcast mode with authentication

Network requirements

As shown in Figure 12, AC 2 functions as the NTP server for multiple devices on different network segments and synchronizes the time among multiple devices, as follows:

·     AC 2's local clock is to be used as a reference source, with the stratum level 3.

·     AC 2 operates in broadcast server mode and sends out broadcast messages from VLAN-interface 2.

·     AC 1 and AC 3 operate in broadcast client mode, and receive broadcast messages through VLAN-interface 3 and VLAN-interface 2, respectively.

·     NTP authentication is enabled on both AC 2 and AC 3.

Figure 12 Network diagram

 

Configuration procedure

1.     Set the IP address for each interface as shown in Figure 12. (Details not shown.)

2.     Configure AC 1:

# Configure AC 1 to operate in NTP broadcast client mode and receive NTP broadcast messages on VLAN-interface 2.

<AC1> system-view

[AC1] interface vlan-interface 3

[AC1-Vlan-interface3] ntp-service broadcast-client

3.     Configure AC 3:

# Enable NTP authentication on AC 3. Configure an NTP authentication key, with the key ID of 88 and key value of 123456. Specify the key as a trusted key.

<AC3> system-view

[AC3] ntp-service authentication enable

[AC3] ntp-service authentication-keyid 88 authentication-mode md5 123456

[AC3] ntp-service reliable authentication-keyid 88

# Configure AC 3 to operate in broadcast client mode and receive NTP broadcast messages on VLAN-interface 2.

[AC3] interface vlan-interface 2

[AC3-Vlan-interface2] ntp-service broadcast-client

4.     Configure AC 2:

# Specify the local clock as the reference source, with the stratum level 3.

<AC2> system-view

[AC2] ntp-service refclock-master 3

# Configure AC 2 to operate in NTP broadcast server mode and use VLAN-interface 2 to send NTP broadcast packets.

[AC2] interface vlan-interface 2

[AC2-Vlan-interface2] ntp-service broadcast-server

[AC2-Vlan-interface2] quit

# AC 1 synchronizes its local clock based on the received broadcast messages sent from AC 2. Display NTP service status information on AC 1.

[AC1-Vlan-interface2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 4

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 8.31 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

The output shows that AC 1 has synchronized to AC 2. The stratum level is 4 on AC 1 and 3 on AC 2.

# Display NTP association information for AC 1, which shows that an association has been set up between AC 1 and AC 2.

[AC1-Vlan-interface2] display ntp-service sessions

      source    reference   stra  reach  poll  now  offset  delay  disper

**************************************************************************

[1234] 3.0.1.31  127.127.1.0  3   254     64    62   -16.0    32.0   16.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

# NTP authentication is enabled on AC 3, but not enabled on AC 2, so AC 3 cannot synchronize to AC 2.

[AC3-Vlan-interface2] display ntp-service status

 Clock status: unsynchronized

 Clock stratum: 16

 Reference clock ID: none

 Nominal frequency: 100.0000 Hz

 Actual frequency: 100.0000 Hz

 Clock precision: 2^18

 Clock offset: 0.0000 ms

 Root delay: 0.00 ms

 Root dispersion: 0.00 ms

 Peer dispersion: 0.00 ms

 Reference time: 00:00:00.000 UTC Jan 1 1900(00000000.00000000)

# Enable NTP authentication on AC 2. Configure an NTP authentication key, with the key ID of 88 and key value of 123456. Specify the key as a trusted key.

[AC2] ntp-service authentication enable

[AC2] ntp-service authentication-keyid 88 authentication-mode md5 123456

[AC2] ntp-service reliable authentication-keyid 88

# Specify AC 2 as an NTP broadcast server, and associate the key 88 with AC 2.

[AC2] interface vlan-interface 2

[AC2-Vlan-interface2] ntp-service broadcast-server authentication-keyid 88

# After NTP authentication is enabled on AC 2, AC 3 can synchronize to AC 2. Display NTP service status on AC 3.

[AC3-Vlan-interface2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 4

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 8.31 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)

The output shows that AC 3 has synchronized to AC 2. The stratum level is 4 on AC 3 and 3 on AC 2.

# Display NTP association information for AC 3, which shows that an association has been set up between AC 3 and AC 2.

[AC3-Vlan-interface2] display ntp-service sessions

      source    reference   stra  reach  poll  now  offset  delay  disper

**************************************************************************

[1234] 3.0.1.31  127.127.1.0   3   254     64    62   -16.0    32.0   16.6

note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured

Total associations :  1

# Configuration of NTP authentication on AC 2 does not affect AC 1. AC 1 still synchronizes to AC 2.

[AC1-Vlan-interface2] display ntp-service status

 Clock status: synchronized

 Clock stratum: 4

 Reference clock ID: 3.0.1.31

 Nominal frequency: 64.0000 Hz

 Actual frequency: 64.0000 Hz

 Clock precision: 2^7

 Clock offset: 0.0000 ms

 Root delay: 31.00 ms

 Root dispersion: 8.31 ms

 Peer dispersion: 34.30 ms

 Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02)