verbose: Displays detailed information about all IPv6 NTP associations. If you do not specify this keyword, the command displays only brief information about the IPv6 NTP associations.

Examples

# Display brief information about all IPv6 NTP associations.

<Sysname> display ntp-service ipv6 sessions

Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured.

Source: [125]3000::32

Reference: 127.127.1.0 Clock stratum: 2

Reachabilities: 1 Poll interval: 64

Last receive time: 6 Offset: -0.0

Roundtrip delay: 0.0 Dispersion: 0.0

Total sessions : 1

Table 1 Command output

Field	Description
[12345]	· 1—Clock source selected by the system (the current reference source). · 2—The stratum level of the clock source is less than or equal to 15. · 3—The clock source has survived the clock selection algorithm. · 4—The clock source is a candidate clock source. · 5—The clock source was created by a command.
Source	IPv6 address of the NTP server. If this field displays ::, the IPv6 address of the NTP server has not been resolved successfully.
Reference	Reference clock ID of the NTP server: · If the reference clock is the local clock, the value of this field is related to the value of the Clock stratum field: ¡ When the value of the Clock stratum field is 0 or 1, this field displays LOCL. ¡ When the Clock stratum field has another value, this field displays the MD5 digest value of the first 32 bits of the IPv6 address. The MD5 digest value is in dotted decimal format. · If the reference clock is the clock of another device on the network, this field displays the MD5 digest value of the first 32 bits of the IPv6 address. The MD5 digest value is in dotted decimal format. If this field displays INIT, the local device has not established a connection with the NTP server.
Clock stratum	Clock stratum level. The stratum level determines the clock precision. The value is in the range of 0 to 16. A lower stratum level represents higher clock accuracy. A stratum 16 clock is not synchronized.
Reachabilities	Reachability count of the NTP server. 0 indicates that the NTP server is unreachable.
Poll interval	Polling interval in seconds. It is the maximum interval between successive NTP messages.
Last receive time	Length of time from when the last NTP message was received or when the local clock was last updated to the current time. Time is in seconds by default. · If the time length is greater than 2048 seconds, it is displayed in minutes (m). · If the time length is greater than 300 minutes, it is displayed in hours (h). · If the time length is greater than 96 hours, it is displayed in days (d). · If the time length is greater than 999 days, it is displayed in years (y). If the time when the most recent NTP message was received or when the local clock was updated most recently is behind the current time, this field displays a hyphen (-).
Offset	Offset of the system clock relative to the reference clock, in milliseconds.
Roundtrip delay	Roundtrip delay from the local device to the clock source, in milliseconds.
Dispersion	Maximum error of the system clock relative to the reference source.
Total sessions	Total number of associations.

‌

# Display detailed information about all IPv6 NTP associations.

<Sysname> display ntp-service ipv6 sessions verbose

Clock source: 1::1

Session ID: 36144

Clock stratum: 16

Clock status: configured, insane, valid, unsynced

Reference clock ID: INIT

VPN instance: Not specified

Local mode: sym_active, local poll interval: 6

Peer mode: unspec, peer poll interval: 10

Offset: 0.0000ms, roundtrip delay: 0.0000ms, dispersion: 15937ms

Root roundtrip delay: 0.0000ms, root dispersion: 0.0000ms

Reachabilities:0, sync distance: 15.938

Precision: 2^-23, version: 4, source interface: Not specified

Reftime: 00000000.00000000 Thu, Feb 7 2019 6:28:16.000

Orgtime: d17cbb21.0f318106 Tue, May 17 2019 9:15:13.059

Rcvtime: 00000000.00000000 Thu, Feb 7 2019 6:28:16.000

Xmttime: 00000000.00000000 Thu, Feb 7 2019 6:28:16.000

Roundtrip delay samples: 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000

Offset samples: 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

Filter order: 0 1 2 3 4 5 6 7

Total sessions: 1

Table 2 Command output

Field	Description
Clock source	IPv6 address of the clock source. If this field displays ::, the IPv6 address of the NTP server has not been resolved successfully.
Clock stratum	Clock stratum level. The stratum level determines the clock precision. The value is in the range of 0 to 16. A lower stratum level represents higher clock accuracy. A stratum 16 clock is not synchronized.
Clock status	Status of the clock source corresponding to this association: · configured—The association was created at the CLI. · dynamic—The association is established dynamically. · master—The clock source is the primary NTP server of the current system. · selected—The clock source has survived the clock selection algorithm. · candidate—The clock source is the candidate reference source. · sane—The clock source has passed authentication and its clock will be used as the reference clock. · insane—The clock source has not passed authentication, or it has passed authentication but its clock will not be used as the reference clock. · valid—The clock source is valid, which means the clock source meets the following requirements: ¡ It has been authenticated and synchronized. ¡ Its stratum level is valid. ¡ Its root delay and root dispersion values are within their ranges. · invalid—The clock source is invalid. · unsynced—The clock source has not been synchronized or the value of the stratum level is invalid.
Reference clock ID	· If the reference clock is the local clock, the value of this field is related to the value of the Clock stratum field: ¡ When the value of the Clock stratum field is 0 or 1, this field displays LOCL. ¡ When the Clock stratum field has another value, this field displays the MD5 digest value of the first 32 bits of the IPv6 address. The MD5 digest value is in dotted decimal format. · If the reference clock is the clock of another device on the network, this field displays the MD5 digest value of the first 32 bits of the IPv6 address. The MD5 digest value is in dotted decimal format. If this field displays INIT, the local device has not established a connection with the NTP server.
VPN instance	VPN instance of the NTP server. If the NTP server is in a public network, this field displays Not specified.
Local mode	Operation mode of the local device: · unspec—The mode is unspecified. · sym_active—Active mode. · sym_passive—Passive mode. · client—Client mode. · server—Server mode. · broadcast—Broadcast or multicast server mode. · bclient—Broadcast or multicast client mode.
local poll interval	Polling interval for the local device, in seconds. The value displayed is a power of 2. For example, if the displayed value is 6, the poll interval of the local device is 26, or 64 seconds.
peer mode	Operation mode of the peer device: · unspec—The mode is unspecified. · sym_active—Active mode. · sym_passive—Passive mode. · client—Client mode. · server—Server mode. · broadcast—Broadcast or multicast server mode. · bclient—Broadcast or multicast client mode.
peer poll interval	Polling interval for the peer device, in seconds. The value displayed is a power of 2. For example, if the displayed value is 6, the polling interval of the local device is 26, or 64 seconds.
Offset	Offset of the system clock relative to the reference clock, in milliseconds.
roundtrip delay	Roundtrip delay from the local device to the clock source, in milliseconds.
dispersion	Maximum error of the system clock relative to the reference clock.
Root roundtrip delay	Roundtrip delay from the local device to the primary NTP server, in milliseconds.
root dispersion	Maximum error of the system clock relative to the primary NTP server, in milliseconds.
Reachabilities	Reachability count of the clock source. 0 indicates that the clock source is unreachable.
sync distance	Synchronization distance relative to the upper-level clock, in seconds, and calculated from dispersion and roundtrip delay values.
Precision	Accuracy of the system clock.
version	NTP version in the range of 1 to 4.
source interface	Source interface. If the source interface is not specified, this field displays Not specified.
Reftime	Reference timestamp in the NTP message.
Orgtime	Originate timestamp in the NTP message.
Rcvtime	Receive timestamp in the NTP message.
Xmttime	Transmit timestamp in the NTP message.
Filter order	Dispersion information.
Reference clock status	Status of the local clock. The field is displayed only when you use the ntp-service refclock-master command to set the local clock as the reference clock. When the reach field of the local clock is 255, the field is displayed as working normally. Otherwise, the field is displayed as working abnormally.
Total sessions	Total number of associations.

‌

display ntp-service sessions

Use display ntp-service sessions to display information about all IPv4 NTP associations.

Syntax

display ntp-service sessions [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Displays detailed information about all IPv4 NTP associations. If you do not specify this keyword, the command displays only brief information about the NTP associations.

Usage guidelines

When a device is operating in NTP broadcast or multicast server mode, the display ntp-service sessions command does not display the IPv4 NTP association information corresponding to the broadcast or multicast server. However, the associations are counted in the total number of associations.

Examples

# Display brief information about all IPv4 NTP associations.

<Sysname> display ntp-service sessions

source reference stra reach poll now offset delay disper

********************************************************************************

[12345]LOCAL(0) LOCL 0 1 64 - 0.0000 0.0000 7937.9

[5]0.0.0.0 INIT 16 0 64 - 0.0000 0.0000 0.0000

Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured.

Total sessions: 1

Table 3 Command output

Field	Description
source	· When the reference clock is the local clock, the field displays LOCAL (number). It indicates that the IP address of the local clock is 127.127.1.number, where number represents the NTP process number in the range of 0 to 3. · When the reference clock is the clock of another device, the field displays the IP address of the NTP server. If this field displays 0.0.0.0, the IP address of the NTP server has not been resolved successfully.
reference	Reference clock ID of the NTP server: · If the reference clock is the local clock, the value of this field is related to the value of the stra field: ¡ When the value of the stra field is 0 or 1, this field displays LOCL. ¡ When the stra field has another value, this field displays the IP address of the local clock. · If the reference clock is the clock of another device on the network, this field displays the IP address of the device. If the device supports IPv6, this field displays the MD5 digest of the first 32 bits of the IPv6 address of the device. If this field displays INIT, the local device has not established a connection with the NTP server.
stra	Clock stratum level. The stratum level determines the clock precision. The value is in the range of 0 to 16. A lower stratum level represents higher clock accuracy. A stratum 16 clock is not synchronized.
reach	Reachability count of the clock source. 0 indicates that the clock source is unreachable.
poll	Polling interval in seconds. It is the maximum interval between successive NTP messages.
now	Length of time from when the last NTP message was received or when the local clock was last updated to the current time. Time is in seconds by default. · If the time length is greater than 2048 seconds, it is displayed in minutes (m). · If the time length is greater than 300 minutes, it is displayed in hours (h). · If the time length is greater than 96 hours, it is displayed in days (d). · If the time length is greater than 999 days, it is displayed in years (y). If the time when the most recent NTP message was received or when the local clock was updated most recently is behind the current time, this field displays a hyphen (-).
offset	Offset of the system clock relative to the reference clock, in milliseconds.
delay	Roundtrip delay from the local device to the NTP server, in milliseconds.
disper	Maximum error of the system clock relative to the reference source, in milliseconds.
[12345]	· 1—Clock source selected by the system (the current reference source). · 2—The stratum level of the clock source is less than or equal to 15. · 3—The clock source has survived the clock selection algorithm. · 4—The clock source is a candidate clock source. · 5—The clock source was created by a configuration command.
Total sessions	Total number of associations.

‌

# Display detailed information about all IPv4 NTP associations.

<Sysname> display ntp-service sessions verbose

Clock source: 192.168.1.40

Session ID: 35888

Clock stratum: 2

Clock status: configured, master, sane, valid

Reference clock ID: 127.127.1.0

VPN instance: Not specified

Local mode: client, local poll interval: 6

Peer mode: server, peer poll interval: 6

Offset: 0.2862ms, roundtrip delay: 3.2653ms, dispersion: 4.5166ms

Root roundtrip delay: 0.0000ms, root dispersion: 10.910ms

Reachabilities:31, sync distance: 0.0194

Precision: 2^-23, version: 3, source interface: Not specified

Reftime: d17cbba5.1473de1e Tue, May 17 2019 9:17:25.079

Orgtime: 00000000.00000000 Thu, Feb 7 2019 6:28:16.000

Rcvtime: d17cbbc0.b1959a30 Tue, May 17 2019 9:17:52.693

Xmttime: d17cbbc0.b1959a30 Tue, May 17 2019 9:17:52.693

Roundtrip delay samples: 0.007 0.010 0.006 0.011 0.010 0.005 0.007 0.003

Offset samples: 5629.55 3913.76 5247.27 6526.92 31.99 148.72 38.27 0.29

Filter order: 7 5 2 6 0 4 1 3

Total sessions: 1

Table 4 Command output

Field	Description
Clock source	IP address of the NTP server. If this field displays 0.0.0.0, the IP address of the NTP server has not been resolved successfully.
Clock stratum	Clock stratum level. The stratum level determines the clock precision. The value is in the range of 0 to 16. A lower stratum level represents higher clock accuracy. A stratum 16 clock is not synchronized.
Clock status	Status of the clock source corresponding to this association: · configured—The association was created by a configuration command. · dynamic—The association is established dynamically. · master—The clock source is the primary NTP server of the current system. · selected—The clock source has survived the clock selection algorithm. · candidate—The clock source is the candidate reference source. · sane—The clock source has passed authentication and its clock will be used as the reference clock. · insane—The clock source has not passed authentication, or it has passed authentication but its clock will not be used as the reference clock. · valid—The clock source is valid, which means the clock source meets the following requirements: ¡ It has been authenticated and synchronized. ¡ Its stratum level is valid. ¡ Its root delay and root dispersion values are within their ranges. · invalid—The clock source is invalid. · unsynced—The clock source has not been synchronized or the value of the stratum level is invalid.
Reference clock ID	Reference clock ID of the NTP server: · If the reference clock is the local clock, the value of this field is related to the value of the Clock stratum field: ¡ When the value of the Clock stratum field is 0 or 1, this field displays LOCL. ¡ When the Clock stratum field has another value, this field displays the IP address of the local clock. · If the reference clock is the clock of another device on the network, this field displays the IP address of the device. If the device supports IPv6, this field displays the MD5 digest of the first 32 bits of the IPv6 address of the device. If this field displays INIT, the local device has not established a connection with the NTP server.
VPN instance	VPN instance to which the NTP server belongs. If the NTP server is in a public network, the field displays Not specified.
Local mode	Operation mode of the local device: · unspec—The mode is unspecified. · active—Active mode. · passive—Passive mode. · client—Client mode. · server—Server mode. · broadcast—Broadcast or multicast server mode. · bclient—Broadcast or multicast client mode.
local poll interval	Polling interval of the local device, in seconds. The value displayed is a power of 2. For example, if the displayed value is 6, the poll interval of the local device is 26, or 64 seconds.
Peer mode	Operation mode of the peer device: · unspec—The mode is unspecified. · active—Active mode. · passive—Passive mode. · client—Client mode. · server—Server mode. · broadcast—Broadcast or multicast server mode. · bclient—Broadcast or multicast client mode.
peer poll interval	Polling interval of the peer device, in seconds. The value displayed is a power of 2. For example, if the displayed value is 6, the poll interval of the local device is 26, or 64 seconds.
Offset	Offset of the system clock relative to the reference clock, in milliseconds.
roundtrip delay	Roundtrip delay from the local device to the NTP server, in milliseconds.
dispersion	Maximum error of the system clock relative to the reference clock.
Root roundtrip delay	Roundtrip delay from the local device to the primary NTP server, in milliseconds.
root dispersion	Maximum error of the system clock relative to the primary reference clock, in milliseconds.
Reachabilities	Reachability count of the clock source. 0 indicates that the clock source is unreachable.
sync distance	Synchronization distance relative to the upper-level clock, in seconds, and calculated from dispersion and roundtrip delay values.
Precision	Accuracy of the system clock.
version	NTP version in the range of 1 to 4.
source interface	Source interface. If the source interface is not specified, this field is Not specified.
Reftime	Reference timestamp in the NTP message.
Orgtime	Originate timestamp in the NTP message.
Rcvtime	Receive timestamp in the NTP message.
Xmttime	Transmit timestamp in the NTP message.
Filter order	Sample information order.
Reference clock status	Status of the local clock. The field is displayed only when you use the ntp-service refclock-master command to set the local clock as the reference clock. When the reach field of the local clock is 255, the field is displayed as working normally. Otherwise, the field is displayed as working abnormally.
Total sessions	Total number of associations.

‌

display ntp-service status

Use display ntp-service status to display NTP service status.

Syntax

display ntp-service status

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display NTP service status after time synchronization.

<Sysname> display ntp-service status

Clock status: synchronized

Clock stratum: 2

System peer: LOCAL(0)

Local mode: client

Reference clock ID: 127.127.1.0

Leap indicator: 00

NTP version: 4

Clock jitter: 0.000977 s

Stability: 0.000 pps

Clock precision: 2^-23

Root delay: 0.00000 ms

Root dispersion: 3.96367 ms

Reference time: d0c5fc32.92c70b1e Wed, Dec 29 2019 18:28:02.573

System poll interval: 256 s

Sync state from NTP server to local clock: clock synced

# Display the NTP service status when time is not synchronized.

<Sysname> display ntp-service status

Clock status: unsynchronized

Clock stratum: 16

Reference clock ID: none

Clock jitter: 0.000000 s

Stability: 0.000 pps

Clock precision: 2^-23

Clock precision:

Root delay: 0.00000 ms

Root dispersion: 0.00002 ms

Reference time: d0c5fc32.92c70b1e Wed, Dec 29 2019 18:28:02.573

System poll interval: 8 s

Sync state from NTP server to local clock: phase not synced

Table 5 Command output

Field	Description
Clock status	Status of the system clock: · Synchronized—The local clock has been synchronized to an NTP server or clock source. · Unsynchronized—The local clock has not been synchronized to any NTP server.
Clock stratum	Stratum level of the system clock.
System peer	IP address of the selected NTP server.
Local mode	Operation mode of the local device: · unspec—The mode is unspecified. · active—Active mode. · passive—Passive mode. · client—Client mode. · server—Server mode. · broadcast—Broadcast or multicast server mode. · bclient—Broadcast or multicast client mode.
Reference clock ID	For an IPv4 NTP server: The field represents the IP address of the remote server when the local device is synchronized to a remote NTP server. The field represents the local clock when the local device uses the local clock as the reference source. · When the local clock has a stratum level of 1, this field displays LOCL. · When the local clock has any other stratum, this field displays the IP address of the local clock. For an IPv6 NTP server: The field represents the MD5 digest of the first 32 bits of the IPv6 address of the remote server when the local device is synchronized to a remote IPv6 NTP server. The field represents the local clock when the local device uses the local clock as the reference source. · When the local clock has a stratum level of 1, this field displays LOCL. · When the local clock has any other stratum, this field displays the MD5 digest of the first 32 bits of the IPv6 address of the local clock.
Leap indicator	Alarming status: · 00—Normal. · 01—Leap second, indicates that the last minute in a day has 61 seconds. · 10—Leap second, indicates that the last minute in a day has 59 seconds. · 11—Time is not synchronized.
NTP version	Version of the selected time server. The value range is 1 to 4. This field is displayed only after time has been synchronized.
Clock jitter	Difference between the system clock and reference clock, in seconds.
Stability	Clock frequency stability. A lower value represents better stability.
Clock precision	Accuracy of the system clock.
Root delay	Roundtrip delay from the local device to the primary NTP server, in milliseconds.
Root dispersion	Maximum error of the system clock relative to the primary NTP server, in milliseconds.
Reference time	Reference timestamp, time when NTP last set or corrected the system clock. If NTP has never set or corrected the system time since the device started, this field is fixed at 00000000.00000000 Mon, Jan 1 1900 0:00:00.000.
System poll interval	System polling interval in seconds.
Sync state from NTP server to local clock	Status of NTP time synchronization with the local system time. · phase not synced—When NTP synchronizes with the local system time, the phase is not synchronized. · frequency synced—When NTP synchronizes with the local system time, the frequency is synchronized. · phase synced but frequency not—When NTP synchronizes with the local system time, the phase is synchronized but the frequency is not synchronized. · clock synced—When NTP synchronizes with the local system time, both the phase and the frequency are synchronized. · spike—NTP detected a time difference of over 128 milliseconds between the NTP server and the NTP client and temporarily will not synchronize with the local system time.

‌

display ntp-service trace

Use display ntp-service trace to display brief information about each NTP server from the local device back to the primary NTP server.

Syntax

display ntp-service trace [ source interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source interface-type interface-number: Specifies the source interface for sending NTP packets to trace each NTP server from the local device back to the primary NTP server. The source IP address of the NTP packets is the IPv4 address/IPv6 address of the specified source interface. If the IP address of an NTP server is a link-local address, the link-local address of the outgoing interface of NTP packets is used as the source IP address of the NTP packets. If you do not specify this option, the interface that sends the tracing NTP packets acts as the source interface.

Usage guidelines

To trace back to the primary NTP server from the source interface, make sure the source interface and the NTP servers from the local device to the primary NTP server are reachable to each other.

Examples

# Display brief information about each NTP server from the local device back to the primary NTP server.

<Sysname> display ntp-service trace

Server 127.0.0.1

Stratum 3, jitter 0.000, synch distance 0.0000.

Server 3000::32

Stratum 2 , jitter 790.00, synch distance 0.0000.

RefID 127.127.1.0

The output shows that server 127.0.0.1 is synchronized to server 3000::32, and server 3000::32 is synchronized to the local clock.

Table 6 Command output

Field	Description
Server	IP address of the NTP server.
Stratum	Stratum level of the NTP server.
jitter	Root mean square (RMS) value of the clock offset relative to the upper-level clock, in milliseconds.
synch distance	Synchronization distance relative to the upper-level NTP server, in seconds, calculated from dispersion and roundtrip delay values.
RefID	Identifier of the primary NTP server. When the stratum level of the primary reference clock is 0, it is displayed as LOCL. Otherwise, it is displayed as the IP address of the primary reference clock.

‌

Related commands

ntp-service ipv6 source

ntp-service ipv6 unicast-server

ntp-service ipv6 unicast-peer

ntp-service source

ntp-service unicast-server

ntp-service unicast-peer

ntp-service acl

Use ntp-service acl to configure the right for peer devices to access the IPv4 NTP services on the local device.

Use undo ntp-service to remove the configured IPv4 NTP service access right.

Syntax

ntp-service { peer | query | server | synchronization } acl { ipv4-acl-number | name ipv4-acl-name }

undo ntp-service { peer | query | server | synchronization } [ acl { ipv4-acl-number | name ipv4-acl-name } ]

Default

The right for the peer devices to access the IPv4 NTP services on the local device is peer.

Views

System view

Predefined user roles

network-admin

Parameters

peer: Allows the device to synchronize the clocks of the devices permitted by the specified ACL as an NTP client, or synchronize itself to these devices as an NTP server. It also allows the devices permitted by the ACL to query some local NTP status information such as alarms, authentication status, and time server information.

query: Allows the devices permitted by the specified ACL only to query some local NTP status information.

server: Allows the device to synchronize itself to the devices permitted by the specified ACL as an NTP server and allows the devices to query some local NTP status information.

synchronization: Allows the device to synchronize itself to the devices permitted by the specified ACL as an NTP server.

acl ipv4-acl-number: Specifies an IPv4 ACL by its number. The peer devices that match the IPv4 ACL have the access right specified in the command. The ipv4-acl-number argument represents an IPv4 basic ACL number in the range of 2000 to 2999 or an IPv4 advanced ACL number in the range of 3000 to 3999.

name ipv4-acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter. To avoid confusion, do not use all as an ACL name.

Usage guidelines

When the device receives an IPv4 NTP request, it matches the request against the access rights in order from the least restrictive to the most restrictive: peer, server, synchronization, and query.

If no right is matched, the peer device does not have access to the NTP service on the local device, and the device cannot synchronize the time with the peer device.

If the specified ACL does not exist, or the specified ACL does not contain any rule, any device can access the NTP service on the device.

If a VPN instance is specified in an ACL rule, the rule applies only to the packets of the VPN instance. If no VPN instance is specified in an ACL rule, the rule applies only to the packets on the public network.

The ntp-service acl command provides minimal security for a system running NTP. A more secure method is NTP authentication.

Examples

# Configure the peer devices on subnet 10.10.0.0/16 to have full access to the local device.

<Sysname> system-view

[Sysname] acl basic 2900

[Sysname-acl-ipv4-basic-2900] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2900] quit

[Sysname] ntp-service peer acl 2900

Related commands

ntp-service authentication enable

ntp-service authentication-keyid

ntp-service reliable authentication-keyid

ntp-service authentication enable

Use ntp-service authentication enable to enable NTP authentication.

Use undo ntp-service authentication enable to disable NTP authentication.

Syntax

ntp-service authentication enable

undo ntp-service authentication enable

Default

NTP authentication is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Enable NTP authentication in networks that require time synchronization security to make sure NTP clients are synchronized only to authenticated NTP servers.

To authenticate an NTP server, set an authentication key and specify it as a trusted key.

Examples

# Enable NTP authentication.

<Sysname> system-view

[Sysname] ntp-service authentication enable

Related commands

ntp-service authentication-keyid

ntp-service reliable authentication-keyid

ntp-service authentication-keyid

Use ntp-service authentication-keyid to set an NTP authentication key.

Use undo ntp-service authentication-keyid to remove an NTP authentication key.

Syntax

ntp-service authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *

undo ntp-service authentication-keyid keyid

Default

No NTP authentication key exists.

Views

System view

Predefined user roles

network-admin

Parameters

keyid: Specifies an authentication key ID in the range of 1 to 4294967295.

authentication-mode: Specifies an authentication algorithm.

· hmac-sha-1: Specifies the HMAC-SHA-1 algorithm. This keyword is not supported in FIPS mode.

· hmac-sha-256: Specifies the HMAC-SHA-256 algorithm.

· hmac-sha-384: Specifies the HMAC-SHA-384 algorithm.

· hmac-sha-512: Specifies the HMAC-SHA-512 algorithm.

· md5: Specifies the MD5 algorithm. This keyword is not supported in FIPS mode.

cipher: Specifies an authentication key in encrypted form.

simple: Specifies an authentication key in plaintext form. For security purposes, the authentication key specified in plaintext form will be stored in encrypted form.

string: Specifies a case-sensitive authentication key. Its plaintext form is a string of 1 to 32 characters. Its encrypted form is a string of 1 to 73 characters.

acl ipv4-acl-number: Specifies an IPv4 basic ACL by its number in the range of 2000 to 2999. Only the devices permitted by the ACL can use the key ID for authentication.

ipv6 acl ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999. Only the devices permitted by the ACL can use the key ID for authentication.

Usage guidelines

In a network where there is a high security demand, the NTP authentication feature must be enabled for a system running NTP. This feature enhances the network security by using client-server key authentication, which prohibits a client from synchronizing to a device that has failed the authentication.

The key ID in the message from the peer device identifies the key used for authentication. The acl ipv4-acl-number or acl ipv6-acl-number option is used to identify the peer device that can use the key ID.

· The device uses the acl ipv4-acl-number or acl ipv6-acl-number option to identify whether the peer device can use the key ID only when an NTP session to the peer device is to be established or has already existed.

· If the specified ACL does not exist, or the specified ACL does not contain any rule, any device can use the key ID for authentication.

· If a VPN instance is specified in an ACL rule, the rule applies only to the packets of the VPN instance. If no VPN instance is specified in an ACL rule, the rule applies only to the packets on the public network.

To ensure a successful NTP authentication, configure the same key ID, authentication algorithm, and key on the time server and client.

After you specify an NTP authentication key, use the ntp-service reliable authentication-keyid command to configure the key as a trusted key. The key automatically changes to untrusted after you delete the key. In this case, you do not need to execute the undo ntp-service reliable authentication-keyid command.

The security strength of the five algorithms, in descending order, is HMAC-SHA-512, HMAC-SHA-384, HMAC-SHA-256, HMAC-SHA-1, and MD5.

You can set a maximum of 128 authentication keys by executing the command.

Examples

# Set a plaintext MD5 authentication key, with the key ID of 10 and key value of BetterKey.

<Sysname> system-view

[Sysname] ntp-service authentication enable

[Sysname] ntp-service authentication-keyid 10 authentication-mode md5 simple BetterKey

Related commands

ntp-service authentication enable

ntp-service reliable authentication-keyid

ntp-service broadcast-client

Use ntp-service broadcast-client to configure the device to operate in NTP broadcast client mode and use the current interface to receive NTP broadcast packets.

Use undo ntp-service broadcast-client to remove the configuration.

Syntax

ntp-service broadcast-client

undo ntp-service broadcast-client

Default

The device does not operate in any NTP association mode.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

This command is not supported in FIPS mode.

After you configure the command, the device listens to NTP messages sent by the NTP broadcast server and is synchronized based on the received NTP messages.

If you have configured the device to operate in broadcast client mode on an interface with the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in broadcast client mode and receive NTP broadcast messages on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ntp-service broadcast-client

Related commands

ntp-service broadcast-server

Use ntp-service broadcast-server to configure the device to operate in NTP broadcast server mode and use the current interface to send NTP broadcast packets.

Use undo ntp-service broadcast-server to remove the configuration.

Syntax

ntp-service broadcast-server [ authentication-keyid keyid | version number ] *

undo ntp-service broadcast-server

Default

The device does not operate in any NTP association mode.

Views

Interface view

Predefined user roles

network-admin

Parameters

authentication-keyid keyid: Specifies the key ID to be used for sending broadcast messages to broadcast clients. The value range for the keyid argument is 1 to 4294967295. If you do not specify this option, broadcast clients enabled with NTP authentication cannot synchronize to the local device.

version number: Specifies the NTP version. The value range for the number argument is 1 to 4, and the default is 4.

Usage guidelines

This command is not supported in FIPS mode.

After you configure the command, the device periodically sends NTP messages to the broadcast address 255.255.255.255.

If you have configured the device to operate in broadcast server mode on an interface with the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in broadcast server mode and send NTP broadcast messages on GigabitEthernet 1/0/1, using key 4 for encryption. Set the NTP version to 4.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ntp-service broadcast-server authentication-keyid 4 version 4

Related commands

ntp-service broadcast-client

ntp-service cwmp unicast-server

Use ntp-service cwmp unicast-server to specify NTP servers defined in CWMP.

Use undo ntp-service cwmp unicast-server to delete the specified NTP servers defined in CWMP.

Syntax

ntp-service cwmp unicast-server { host-name | ipv4-address | ipv6 ipv6-address } { first | second | third | fourth | fifth }

undo ntp-service cwmp unicast-server { host-name | ipv4-address | ipv6 ipv6-address }

Default

No NTP servers defined in CWMP are configured.

Views

System view

Predefined user roles

network-admin

Parameters

host-name: Specifies an NTP server by its host name, a case-insensitive string of 1 to 64 characters. The string can contain only letters, digits, underscores (_), dots (.), and hyphens (-).

ipv4-address: Specifies an NTP server by its IPv4 address. This address can only be a unicast address. It cannot be a broadcast address, multicast address, or IP address of the local clock.

Ipv6-address: Specifies an NTP server by its IPv6 address. This address can only be a global unicast address. It cannot be a multicast address

{ first | second | third | fourth | fifth }: Uses the specified NTP server as NTP server 1, NTP server 2, NTP server 3, NTP server 4, or NTP server 5 in CWMP. You can specify a maximum of five NTP servers for the device. The numbers do not represent priorities of the NTP servers.

Usage guidelines

After you specify an NTP server for the device, the device will synchronize its time with the NTP server. The NTP server will not synchronize its time with the device.

Both the ntp-service cwmp unicast-server and ntp-service unicast-server commands can be used for specifying NTP servers for the device. When multiple NTP servers are specified for the device and the device receives NTP responses from multiple NTP servers, the device will select the optimal clock based on parameters such as clock stratum and synchronize the time with the optimal clock.

Typically, you can use the ntp-service unicast-server command to specify an NTP server for the device. To specify an NTP server defined in CWMP for the device, use the ntp-service cwmp unicast-server command.

Do not specify the same NTP server by using the two commands.

You can execute this command multiple times to specify a maximum of five NTP servers defined in CWMP for the device.

Examples

# Specify the server at 1.1.1.1 as NTP server 1 and server at 2.2.2.2 as NTP server 2 in CWMP.

<Sysname> system-view

[Sysname] ntp-service cwmp unicast-server 1.1.1.1 first

[Sysname] ntp-service cwmp unicast-server 2.2.2.2 second

Related commands

ntp-service unicast-server

ntp-service dscp

Use ntp-service dscp to set a DSCP value for IPv4 NTP packets.

Use undo ntp-service dscp to restore the default.

Syntax

ntp-service dscp dscp-value

undo ntp-service dscp

Default

The DSCP value for IPv4 NTP packets is 48.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Sets a DSCP value in the range of 0 to 63 for IPv4 NTP packets.

Usage guidelines

The DSCP value is included in the ToS field of an IPv4 packet to identify the packet priority.

Examples

# Set the DSCP value for IPv4 NTP packets to 30.

<Sysname> system-view

[Sysname] ntp-service dscp 30

ntp-service enable

Use ntp-service enable to enable the NTP service.

Use undo ntp-service enable to disable the NTP service.

Syntax

ntp-service enable

undo ntp-service enable

Default

The NTP service is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

NTP and SNTP communicate using UDP port 123. If another service module uses this port, the device will fail to enable NTP and SNTP. If you enable NTP or SNTP, other service modules cannot use port 123.

Examples

# Enable the NTP service.

<Sysname> system-view

[Sysname] ntp-service enable

Related commands

sntp enable

ntp-service inbound enable

Use ntp-service inbound enable to enable an interface to receive NTP messages.

Use undo ntp-service inbound enable to disable an interface from receiving NTP messages.

Syntax

ntp-service inbound enable

undo ntp-service inbound enable

Default

An interface receives NTP messages.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Execute the undo ntp-service inbound enable command on an interface in the following cases:

· You do not want the interface to synchronize the peer device in the corresponding subnet.

· You do not want the device to be synchronized by the peer device in the subnet corresponding to the interface.

Examples

# Disable GigabitEthernet 1/0/1 from receiving NTP messages.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] undo ntp-service inbound enable

ntp-service ipv6 acl

Use ntp-service ipv6 acl to configure the right for the peer devices to access the IPv6 NTP services of the local device.

Use undo ntp-service ipv6 to remove the configured IPv6 NTP service access right.

Syntax

ntp-service ipv6 { peer | query | server | synchronization } acl { ipv6-acl-number | name ipv6-acl-name }

undo ntp-service ipv6 { peer | query | server | synchronization } [ acl { ipv6-acl-number | name ipv6-acl-name } ]

Default

The right for the peer devices to access the IPv6 NTP services on the local device is peer.

Views

System view

Predefined user roes

network-admin

Parameters

peer: Allows the device to synchronize the clocks of the devices permitted by the specified IPv6 ACL as an NTP client, or synchronize itself to these devices as an NTP server. It also allows the devices permitted by the IPv6 ACL to query some local NTP status information such as alarms, authentication status, and time server information.

query: Allows the devices permitted by the specified IPv6 ACL only to query some local NTP status information.

server: Allows the device to synchronize itself to the devices permitted by the specified IPv6 ACL as an NTP server and allows the devices to query some local NTP status information.

synchronization: Allows the device to synchronize itself to the devices permitted by the specified IPv6 ACL as an NTP server.

ipv6-acl-number: Specifies an IPv6 ACL by its number. The peer devices that match the IPv6 ACL have the access right specified in the command. The ipv6-acl-number argument represents a basic IPv6 ACL number in the range of 2000 to 2999 or an advanced IPv6 ACL number in the range of 3000 to 3999.

name ipv6-acl-name: Specifies an IPv6 basic ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with an English letter. To avoid confusion, do not use all as an ACL name.

Usage guidelines

When the device receives an IPv6 NTP request, it matches the request against the access rights in order from the least restrictive to the most restrictive: peer, server, synchronization, and query.

If no right is matched, the peer device does not have access to the IPv6 NTP service on the local device, and the device cannot synchronize the time with the peer device.

If the specified ACL does not exist, or the specified ACL does not contain any rule, any device can access the IPv6 NTP service on the device.

The ntp-service ipv6 acl command provides a minimum security method. NTP authentication is more secure.

Examples

# Configure the peer devices on subnet 3001::1 to have full access to the local device.

<Sysname> system-view

[Sysname] acl ipv6 basic 2900

[Sysname-acl-ipv6-basic-2900] rule permit source 3001::1 64

[Sysname-acl-ipv6-basic-2900] quit

[Sysname] ntp-service ipv6 peer acl 2900

Related commands

ntp-service authentication enable

ntp-service authentication-keyid

ntp-service reliable authentication-keyid

ntp-service ipv6 dscp

Use ntp-service ipv6 dscp to set a DSCP value for IPv6 NTP packets.

Use undo ntp-service ipv6 dscp to restore the default.

Syntax

ntp-service ipv6 dscp dscp-value

undo ntp-service ipv6 dscp

Default

The DSCP value for IPv6 NTP packets is 56.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies a DSCP value in the range of 0 to 63 for IPv6 NTP packets.

Usage guidelines

The DSCP value is included in the Traffic Class field of an IPv6 packet to identify the packet priority.

Examples

# Set the DSCP value for IPv6 NTP packets to 30.

<Sysname> system-view

[Sysname] ntp-service ipv6 dscp 30

ntp-service ipv6 inbound enable

Use ntp-service ipv6 inbound enable to enable an interface to receive IPv6 NTP messages.

Use undo ntp-service ipv6 inbound enable to disable an interface from receiving IPv6 NTP messages.

Syntax

ntp-service ipv6 inbound enable

undo ntp-service ipv6 inbound enable

Default

An interface receives IPv6 NTP messages.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Execute the undo ntp-service ipv6 inbound enable command on an interface in the following cases:

· You do not want the interface to synchronize the peer devices in the corresponding subnet.

· You do not want the device to be synchronized by the peer devices in the subnet corresponding to the interface.

Examples

# Disable GigabitEthernet 1/0/1 from receiving IPv6 NTP messages.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] undo ntp-service ipv6 inbound enable

ntp-service ipv6 multicast-client

Use ntp-service ipv6 multicast-client to configure the device to operate in IPv6 NTP multicast client mode and use the current interface to receive IPv6 NTP multicast packets.

Use undo ntp-service ipv6 multicast-client to remove the configuration.

Syntax

ntp-service ipv6 multicast-client ipv6-address

undo ntp-service ipv6 multicast-client ipv6-address

Default

The device does not operate in any NTP association mode.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies an IPv6 multicast address. An IPv6 broadcast client and an IPv6 broadcast server must be configured with the same multicast address.

Usage guidelines

This command is not supported in FIPS mode.

After you configure the command, the device listens to IPv6 NTP messages using the specified multicast address as the destination address. It is synchronized based on the received IPv6 NTP messages.

If you have configured the device to operate in IPv6 multicast client mode on an interface by using the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in IPv6 multicast client mode and receive IPv6 NTP multicast messages with the destination FF21::1 on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ntp-service ipv6 multicast-client ff21::1

Related commands

ntp-service ipv6 multicast-server

Use ntp-service ipv6 multicast-server to configure the device to operate in IPv6 NTP multicast server mode and use the current interface to send IPv6 NTP multicast packets.

Use undo ntp-service ipv6 multicast-server to remove the configuration.

Syntax

ntp-service ipv6 multicast-server ipv6-address [ authentication-keyid keyid | ttl ttl-number ] *

undo ntp-service ipv6 multicast-server ipv6-address

Default

The device does not operate in any NTP association mode.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies an IPv6 multicast address. An IPv6 multicast client and server must be configured with the same multicast address.

authentication-keyid keyid: Specifies the key ID to be used for sending multicast messages to multicast clients. The value range for the keyid argument is 1 to 4294967295. If you do not specify this option, multicast clients enabled with NTP authentication cannot synchronize to the local device.

ttl ttl-number: Specifies the TTL of NTP multicast messages. The value range for the ttl-number argument is 1 to 255, and the default is 16.

Usage guidelines

This command is not supported in FIPS mode.

After you configure the command, the device periodically sends NTP messages to the specified IPv6 multicast address.

If you have configured the device to operate in IPv6 multicast server mode on an interface with the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in IPv6 multicast server mode and send IPv6 NTP multicast messages on GigabitEthernet 1/0/1 to the multicast address FF21::1, using key 4 for encryption.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ntp-service ipv6 multicast-server ff21::1

Related commands

ntp-service ipv6 multicast-client

ntp-service ipv6 source

Use ntp-service ipv6 source to specify a source interface for IPv6 NTP messages.

Use undo ntp-service ipv6 source to restore the default.

Syntax

ntp-service ipv6 source interface-type interface-number

undo ntp-service ipv6 source

Default

No source interface is specified for IPv6 NTP messages. The device automatically selects the source IP address for IPv6 NTP messages. For more information, see RFC 3484.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

If you specify a source interface for IPv6 NTP messages, the device uses the IPv6 address of the source interface as the source address to send IPv6 NTP messages. Consequently, the destination address of the IPv6 NTP response messages is the address of the source interface.

When the device responds to an IPv6 NTP request, the source IPv6 address of the NTP response is always the IPv6 address of the interface that has received the IPv6 NTP request.

If you do not want the IPv6 address of an interface on the local device to become the destination address for response messages, use the command to specify another interface as the source interface for IPv6 NTP messages.

The source interface for IPv6 NTP messages can also be specified in the following ways:

· In NTP client/server mode, if you have specified the source interface for IPv6 NTP messages in the ntp-service ipv6 unicast-server command, the specified interface acts as the source interface for IPv6 NTP messages.

· In NTP symmetric active/passive mode, if you have specified the source interface for IPv6 NTP messages in the ntp-service ipv6 unicast-peer command, the specified interface acts as the source interface for IPv6 NTP messages.

· In NTP multicast mode, if you have configured the ntp-service ipv6 multicast-server command on an interface, the interface acts as the source interface for NTP multicast messages.

If the specified source interface is down, the device does not send IPv6 NTP messages.

Examples

# Specify the source interface of IPv6 NTP messages as GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] ntp-service ipv6 source gigabitethernet 1/0/1

ntp-service ipv6 time-server enable

Use ntp-service ipv6 time-server enable to enable IPv6 NTP server.

Use undo ntp-service ipv6 time-server enable to disable IPv6 NTP server.

Syntax

ntp-service ipv6 time-server enable

undo ntp-service ipv6 time-server enable

Default

IPv6 NTP server is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command is used to control whether the device can provide IPv6 NTP synchronization to other devices.

· When IPv6 NTP server is enabled on the device and the device is permitted by the ACL rules set in the ntp-service ipv6 acl command on other devices, the device can provide IPv6 NTP synchronization to those devices.

· If IPv6 NTP server is disabled on the device, the device cannot provide IPv6 NTP synchronization to other devices.

Examples

# Enable IPv6 NTP server.

<Sysname> system-view

[Sysname] ntp-service ipv6 time-server enable

ntp-service ipv6 unicast-peer

Use ntp-service ipv6 unicast-peer to specify an IPv6 symmetric-passive peer for the device.

Use undo ntp-service ipv6 unicast-peer to remove the IPv6 symmetric-passive peer specified for the device.

Syntax

ntp-service ipv6 unicast-peer { peer-name | ipv6-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | maxpoll maxpoll-interval | minpoll minpoll-interval | priority | source interface-type interface-number ] *

undo ntp-service ipv6 unicast-peer { peer-name | ipv6-address } [ vpn-instance vpn-instance-name ]

Default

No IPv6 symmetric-passive peer is specified.

Views

System view

Predefined user roles

network-admin

Parameters

peer-name: Specifies a symmetric-passive peer by its host name, a case-insensitive string of 1 to 253 characters.

ipv6-address: Specifies a symmetric-passive peer by its IPv6 address. It must be a unicast address, rather than a multicast address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the symmetric-passive peer belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the symmetric-passive peer is on the public network, do not specify this option.

authentication-keyid keyid: Specifies the key ID to be used for sending NTP messages to the peer. The value range for the keyid argument is 1 to 4294967295. If you do not specify this option, the local device and the peer do not authenticate each other.

maxpoll maxpoll-interval: Specifies the maximum polling interval. The value range for the maxpoll-interval argument is 4 to 17, to which base 2 is raised to get the interval in seconds. The maximum polling interval is in the range of 24 to 217 (16 to 131072) seconds. The default value for the maxpoll-interval argument is 6 and the default maximum polling interval is 26 (64) seconds.

minpoll minpoll-interval: Specifies the minimum polling interval. The value range for the minpoll-interval argument is 4 to 17, to which base 2 is raised to get the interval in seconds. The minimum polling interval is in the range of 24 to 217 (16 to 131072) seconds. The default value for the minpoll-interval argument is 6 and the default minimum polling interval is 26 (64) seconds.

priority: Specifies the peer specified by ipv6-address or peer-name as the first choice under the same condition.

source interface-type interface-number: Specifies the source interface for IPv6 NTP messages. If the specified passive peer address is not a link local address, the source IPv6 address for IPv6 NTP messages sent by the local device is the IPv6 address of the specified source interface. If the specified passive peer address is a link local address, the IPv6 NTP messages are sent from the specified source interface, and the source address of the messages is the link local address of the interface. The interface-type interface-number argument represents the interface type and number. If you do not specify an interface, the device automatically selects the source IPv6 address of IPv6 NTP messages. For more information, see RFC 3484.

Usage guidelines

When you specify an IPv6 passive peer for the device, the device and its IPv6 passive peer can be synchronized to each other. If their clocks are in synchronized state, the clock with a high stratum level is synchronized to the clock with a lower stratum level.

If the specified IPv6 address of the passive peer is a link local address, you must specify the source interface for NTP messages and cannot specify a VPN instance for the passive peer.

After you specify an IPv6 symmetric-passive peer for a device, the device polls and synchronize its time with the peer device at the minimum polling interval. If the time discrepancy between the two maintains in the acceptable range, the system gradually increases the polling interval until the maximum polling interval is reached. If the time discrepancy exceeds the acceptable range repeatedly, the polling interval decreases gradually.

The polling interval configuration takes effect from the next polling.

Examples

# Specify the device with the IPv6 address of 3001::1 as the symmetric-passive peer of the local device, and specify the source interface for IPv6 NTP messages as GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] ntp-service ipv6 unicast-peer 3001::1 source gigabitethernet 1/0/1

Related commands

ntp-service authentication enable

ntp-service authentication-keyid

ntp-service reliable authentication-keyid

ntp-service ipv6 unicast-server

Use ntp-service ipv6 unicast-server to specify an IPv6 NTP server for the device.

Use undo ntp-service ipv6 unicast-server to remove an IPv6 NTP server specified for the device.

Syntax

ntp-service ipv6 unicast-server { server-name | ipv6-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | maxpoll maxpoll-interval | minpoll minpoll-interval | priority | source interface-type interface-number ] *

undo ntp-service ipv6 unicast-server { server-name | ipv6-address } [ vpn-instance vpn-instance-name ]

Default

No IPv6 NTP server is specified.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies an NTP server by its host name, a case-insensitive string of 1 to 253 characters.

ipv6-address: Specifies an NTP server by its IPv6 address. It must be a unicast address, rather than a multicast address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the NTP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the NTP server is on the public network, do not specify this option.

authentication-keyid keyid: Specifies the key ID to be used for sending NTP messages to the NTP server. The value range for the keyid argument is 1 to 4294967295. If you do not specify this option, the local device and NTP server do not authenticate each other.

priority: Specifies this NTP server as the first choice under the same condition.

source interface-type interface-number: Specifies the source interface for IPv6 NTP messages. If the specified IPv6 NTP server address is not a link local address, the source IPv6 address for IPv6 NTP messages sent by the local device to the NTP server is the IPv6 address of the specified source interface. If the specified IPv6 NTP server address is a link local address, the IPv6 NTP messages are sent from the specified source interface, and the source address of the messages is the link local address of the interface. The interface-type interface-number argument represents the interface type and number. If you do not specify an interface, the device automatically selects the source IPv6 address of IPv6 NTP messages. For more information, see RFC 3484.

Usage guidelines

When you specify an IPv6 NTP server for the device, the device is synchronized to the IPv6 NTP server, but the IPv6 NTP server is not synchronized to the device.

If the specified IPv6 address of the NTP server is a link local address, you must specify the source interface for NTP messages and cannot specify a VPN instance for the NTP server.

After you specify an IPv6 NTP server for a device, the device polls and synchronizes its time with the server at the minimum polling interval. If the time discrepancy between the two maintains in the acceptable range, the system gradually increases the polling interval until the maximum polling interval is reached. If the time discrepancy exceeds the acceptable range repeatedly, the polling interval decreases gradually.

The polling interval configuration takes effect from the next polling.

Examples

# Specify the IPv6 NTP server 3001::1 for the device.

<Sysname> system-view

[Sysname] ntp-service ipv6 unicast-server 3001::1

Related commands

ntp-service authentication enable

ntp-service authentication-keyid

ntp-service reliable authentication-keyid

ntp-service max-dynamic-sessions

Use ntp-service max-dynamic-sessions to set the maximum number of dynamic NTP sessions.

Use undo ntp-service max-dynamic-sessions to restore the default.

Syntax

ntp-service max-dynamic-sessions number

undo ntp-service max-dynamic-sessions

Default

The maximum number of dynamic NTP sessions is 100.

Views

System view

Predefined user roles

network-admin

Parameters

number: Sets the maximum number of dynamic NTP associations, in the range of 0 to 100.

Usage guidelines

A device can have a maximum of 128 concurrent associations, including static associations and dynamic associations. A static association refers to an association that a user has manually created by using an NTP command. A dynamic association is a temporary association created by the system during operation.

This command limits the number of dynamic NTP associations and prevents dynamic NTP associations from occupying too many system resources. When this command is configured, the number of dynamic NTP associations might have already exceeded the configured value. The device does not delete dynamic associations that already existed before the command is configured.

Examples

# Set the maximum number of dynamic NTP associations to 50.

<Sysname> system-view

[Sysname] ntp-service max-dynamic-sessions 50

Related commands

display ntp-service sessions

ntp-service multicast-client

Use ntp-service multicast-client to configure the device to operate in NTP multicast client mode and use the current interface to receive NTP multicast packets.

Use undo ntp-service multicast-client to remove the configuration.

Syntax

ntp-service multicast-client [ ip-address ]

undo ntp-service multicast-client [ ip-address ]

Default

The device does not operate in any NTP association mode.

Views

Interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a multicast IP address. The default address is 224.0.1.1. A multicast server and client must be configured with the same multicast IP address.

Usage guidelines

This command is not supported in FIPS mode.

After you configure the command, the device listens to NTP messages using the specified multicast address as the destination address.

If you have configured the device to operate in multicast client mode on an interface with the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in multicast client mode and receive NTP multicast messages on GigabitEthernet 1/0/1, and set the multicast address to 224.0.1.1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ntp-service multicast-client 224.0.1.1

Related commands

ntp-service multicast-server

Use ntp-service multicast-server to configure the device to operate in NTP multicast server mode and use the current interface to send NTP multicast packets.

Use undo ntp-service multicast-server to remove the configuration.

Syntax

ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | ttl ttl-number | version number ] *

undo ntp-service multicast-server [ ip-address ]

Default

The device does not operate in any NTP association mode.

Views

Interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a multicast IP address. The default is 224.0.1.1. A multicast server and client must be configured with the same multicast IP address.

ttl ttl-number: Specifies the TTL of NTP multicast messages. The value range for the ttl-number argument is 1 to 255. The default value is 16.

version number: Specifies the NTP version. The value range for the number argument is 1 to 4. The default value is 4.

Usage guidelines

This command is not supported in FIPS mode.

After you configure the command, the device periodically sends NTP messages to the specified multicast address.

If you have configured the device to operate in multicast server mode on an interface with the command, do not add the interface to any aggregate group. To add the interface to an aggregate group, remove the configuration of the command.

Examples

# Configure the device to operate in multicast server mode and send NTP multicast messages on GigabitEthernet 1/0/1 to the multicast address 224.0.1.1, using key 4 for encryption. Set the NTP version to 4.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ntp-service multicast-server 224.0.1.1 version 4 authentication-keyid 4

Related commands

ntp-service multicast-client

ntp-service noquery enable

Use ntp-service noquery enable to disallow control queries from the peer device to the local device.

Use undo ntp-service noquery enable to allow control queries from the peer device to the local device.

Syntax

ntp-service noquery enable

undo ntp-service noquery enable

Default

Control queries from the peer device to the local device are allowed.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, the device allows peer devices to use NTP mode 6 (MODE_CONTROL) and mode 7 (MODE_PRIVATE) messages to query the local NTP status such as alarm, authentication, and time server information. After this command is configured, the device will not process NTP mode 6 or mode 7 messages. In an unsecure network environment, you can configure this command to avoid security risks.

The ntp-service noquery enable command and its undo form are used only to configure the device to disallow or allow control queries and do not disable or enable clock synchronization. If the ntp-service noquery enable command or its undo form and the ntp-service acl or ntp-service ipv6 acl command are both configured, the ntp-service noquery enable command or its undo form determines whether control queries are allowed.

This command is mutually exclusive with the display ntp-service trace command. To use the display ntp-service trace command, you must configure the device to allow control queries.

Examples

# Disallow control queries for the local device.

<Sysname> system-view

[Sysname] ntp-service noquery enable

Related commands

display ntp-service trace

ntp-service acl

ntp-service ipv6 acl

ntp-service refclock-master

Use ntp-service refclock-master to configure the local clock as the reference source.

Use undo ntp-service refclock-master to remove the configuration.

Syntax

ntp-service refclock-master [ ip-address ] [ stratum ]

undo ntp-service refclock-master [ ip-address ]

Default

The device does not use its local clock as the reference clock.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: IP address of the local clock, 127.127.1.u, where u is the NTP process ID in the range of 0 to 3. The default value is 127.127.1.0.

stratum: Stratum level of the local clock, in the range of 1 to 15. The default value is 8. A lower stratum level represents higher clock accuracy.

Usage guidelines

Typically an NTP server that gets its time from an authoritative time source, such as an atomic clock has stratum 1 and operates as the primary time server to provide time synchronization for other devices in the network. The accuracy of each server is the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level.

If the devices in a network cannot synchronize to an authoritative time source, you can perform the following tasks:

· Select a device that has a relatively accurate clock from the network.

· Use the local clock of the device as the reference clock to synchronize other devices in the network.

Use the command with caution to avoid time errors. As a best practice, set the local clock time to a correct value before you execute the command.

Some NTP clients require the stratum of the NTP server to be less than or equal to 14. For these NTP clients to synchronize time from the NTP server, specify the stratum level as appropriate based on the networking environment.

Examples

# Specify the local clock as the reference source, with the stratum level 2.

<Sysname> system-view

[Sysname] ntp-service refclock-master 2

ntp-service reliable authentication-keyid

Use ntp-service reliable authentication-keyid to specify an authentication key as a trusted key.

Use undo ntp-service reliable authentication-keyid to remove the configuration.

Syntax

ntp-service reliable authentication-keyid keyid

undo ntp-service reliable authentication-keyid keyid

Default

No trusted key is specified.

Views

System view

Predefined user roles

network-admin

Parameters

keyid: Specifies an authentication key by its ID in the range of 1 to 4294967295.

Usage guidelines

When NTP authentication is enabled, a client can be synchronized only to a server that can provide a trusted authentication key.

Before you use the command, make sure NTP authentication is enabled and an authentication key is configured. The key automatically changes to untrusted after you delete the key. In this case, you do not need to execute the undo ntp-service reliable authentication-keyid command.

You can set a maximum of 128 keys by executing the command.

Examples

# Enable NTP authentication, specify the MD5 algorithm, with the key ID of 37 and key value of BetterKey.

<Sysname> system-view

[Sysname] ntp-service authentication enable

[Sysname] ntp-service authentication-keyid 37 authentication-mode md5 simple BetterKey

# Specify this key as a trusted key.

[Sysname] ntp-service reliable authentication-keyid 37

Related commands

ntp-service authentication enable

ntp-service authentication-keyid

ntp-service source

Use ntp-service source to specify the source IPv4 address for NTP messages.

Use undo ntp-service source to restore the default.

Syntax

ntp-service source { interface-type interface-number | ipv4-address }

undo ntp-service source

Default

No source IPv4 address is specified for NTP messages. The device performs the following operations:

· Searches the routing table for the outbound interface of NTP messages.

· Uses the primary IPv4 address of the outbound interface as the source IPv4 address of NTP messages.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface as the source interface of NTP messages. If you specify a source interface for NTP messages, the device uses the primary IPv4 address of the interface as the source IP address of NTP messages. Consequently, the NTP response messages will use this source address as the destination address.

ipv4-address: Specifies the source IPv4 address for NTP messages.

Usage guidelines

When the device responds to an NTP request, the source IP address of the NTP response is always the IP address of the interface that has received the NTP request.

If you do not want the IP address of an interface on the local device to become the destination address for response messages, use the command to specify another interface as the source interface for NTP messages.

When you use this command to specify the source address for NTP messages, the following restrictions apply:

· In NTP client/server mode, if you have specified the source IPv4 address for NTP messages in the ntp-service unicast-server command, this specified IPv4 address is used as the source IPv4 address for NTP messages.

· In NTP symmetric active/passive mode, if you have specified the source IPv4 address for NTP messages in the ntp-service unicast-peer command, this specified IPv4 address is used as the source IPv4 address for NTP messages.

· In NTP multicast mode, if you have configured the ntp-service multicast-server command on an interface, the IPv4 address of this interface is used as the source IPv4 address for NTP multicast messages.

· In NTP broadcast mode, if you have configured the ntp-service broadcast-server command on an interface, the IPv4 address of this interface is used as the source IPv4 address for NTP broadcast messages.

· If the interface the IPv4 address of which is specified as source address of NTP messages is down, the device does not send NTP messages.

Examples

# Specify the IP address of GigabitEthernet 1/0/1 as the source IPv4 address for NTP messages.

<Sysname> system-view

[Sysname] ntp-service source gigabitethernet 1/0/1

ntp-service time-offset-limit

Use ntp-service time-offset-limit to configure the maximum allowed time offset for NTP synchronization. If the maximum offset is exceeded, NTP time synchronization will not be performed.

Use undo ntp-service time-offset-limit to restore the default.

Syntax

ntp-service time-offset-limit limit-threshold

undo ntp-service time-offset-limit

Default

The maximum allowed time offset for NTP synchronization is not configured.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

limit-threshold: Specifies the maximum allowed time offset for NTP synchronization. The value is in the range of 100 to 60000, in milliseconds.

Usage guidelines

Application scenarios

This command is used to configure the conditions for time synchronization between the NTP client and NTP server.

Operating mechanism

The device periodically subtracts the local time of the NTP client from the time provided by the NTP server to obtain a time offset. This time offset should remain stable within a small range of changes and be less than or equal to the maximum allowed time offset configured by this command. If the time offset exceeds the configured maximum value, the NTP client will consider the time from the NTP server as unreliable. As a result, it will not synchronize the time with the NTP server and generate log and notification messages to alert the administrators.

Configuration prerequisites

Logs triggered by this command will be sent to the device's information center module. You can configure information center module parameters for the logs to be output as desired. For more information about the information center module parameters, see information center configuration in Network Management and Monitoring Configuration Guide.

Notifications triggered by this command will be sent to the device's SNMP module. You can configure SNMP notification output parameters for the notifications to be output as desired. For more information about SNMP notifications, see SNMP configuration in System Management Configuration Guide.

Examples

# Set the maximum allowed time offset for NTP synchronization to 1000 milliseconds.

<Sysname> system-view

[Sysname] ntp-service time-offset-limit 1000

Related commands

ntp-service time-offset-threshold

Use ntp-service time-offset-threshold to specify the NTP time offset thresholds for log and trap outputs.

Use undo ntp-service time-offset-threshold to restore the default.

Syntax

ntp-service time-offset-threshold { log log-threshold | trap trap-threshold } *

undo ntp-service time-offset-threshold

Default

No NTP time offset thresholds are set for log and trap outputs.

Views

System view

Predefined user roles

network-admin

Parameters

log log-threshold: Specifies the NTP time offset threshold for log output. The value range for the log-threshold argument is 100 to 60000, in milliseconds.

trap trap-threshold: Specifies the NTP time offset threshold for notification output. The value range for the trap-threshold argument is 100 to 60000, in milliseconds.

Usage guidelines

Application scenarios

This command monitors whether the time provided by the NTP server is within the normal range. If it exceeds the specified range, logs and notification messages are generated to alert the administrator to check whether the NTP server is normal.

Operating mechanism

· If the calculated time offset exceeds the NTP time offset threshold for log output, the NTP module will automatically generate a log to alert the administrator that the time provided by the NTP server might be abnormal.

· If the calculated time offset of the device exceeds the NTP time offset threshold for trap output, the NTP module will automatically generate a notification to alert the administrator that the time provided by the NTP server might be abnormal.

Configuration prerequisites

Examples

# Set the NTP time-offset thresholds for log and trap outputs to 500 milliseconds and 600 milliseconds, respectively.

<Sysname> system-view

[Sysname] ntp-service time-offset-threshold log 500 trap 600

ntp-service time-server enable

Use ntp-service time-server enable to enable NTP server.

Use undo ntp-service time-server enable to disable NTP server.

Syntax

ntp-service time-server enable

undo ntp-service time-server enable

Default

NTP server is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A device can provide NTP synchronization only when it meets the following conditions:

· NTP server is enabled on the device.

· The device is permitted by the ACLs configured in the ntp-service acl command on the peer device.

If you disable NTP server on the device, the device cannot provide NTP time synchronization.

Examples

# Enable NTP server.

<Sysname> system-view

[Sysname] ntp-service time-server enable

Related commands

· ntp-service acl

· ntp-service ipv6 acl

ntp-service unicast-peer

Use ntp-service unicast-peer to specify a symmetric-passive peer for the device.

Use undo ntp-service unicast-peer to remove the symmetric-passive peer specified for the device.

Syntax

ntp-service unicast-peer { peer-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | maxpoll maxpoll-interval | minpoll minpoll-interval | priority | source interface-type interface-number | version number ] *

undo ntp-service unicast-peer { peer-name | ip-address } [ vpn-instance vpn-instance-name ]

Default

No symmetric-passive peer is specified.

Views

System view

Predefined user roles

network-admin

Parameters

peer-name: Specifies a symmetric-passive peer by its host name, a case-insensitive string of 1 to 253 characters.

ip-address: Specifies a symmetric-passive peer by its IP address. It must be a unicast address, rather than a broadcast address, a multicast address, or the IP address of the local clock.

priority: Specifies the peer specified by ip-address or peer-name as the first choice under the same condition.

source interface-type interface-number: Specifies the source interface for NTP messages. In an NTP message the local device sends to its peer, the source IP address is the primary IP address of this interface. The interface-type interface-number argument represents the interface type and number. If you do not specify this option, the device searches the routing table for the outgoing interface and uses the primary IP address of the outgoing interface as the source IP address of the NTP messages.

version number: Specifies the NTP version. In non-FIPS mode, the value range for the number argument is 1 to 4, and the default value is 4. In FIPS mode, the value range for the number argument is 3 to 4, and the default value is 4.

Usage guidelines

When you specify a passive peer for the device, the device and its passive peer can be synchronized to each other. If their clocks are in synchronized state, the clock with a high stratum level is synchronized to the clock with a lower stratum level.

After you specify a symmetric-passive peer for a device, the device polls and synchronizes its time with the peer device at the minimum polling interval. If the time discrepancy between the two maintains in the acceptable range, the system gradually increases the polling interval until the maximum polling interval is reached. If the time discrepancy exceeds the acceptable range repeatedly, the polling interval decreases gradually.

The polling interval configuration takes effect from the next polling.

Examples

# Specify the device with the IP address of 10.1.1.1 as the symmetric-passive peer of the local device, and configure the local device to run NTP version 4. Specify the source interface of NTP messages as GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] ntp-service unicast-peer 10.1.1.1 version 4 source gigabitethernet 1/0/1

Related commands

ntp-service authentication enable

ntp-service authentication-keyid

ntp-service reliable authentication-keyid

ntp-service unicast-server

Use ntp-service unicast-server to specify an NTP server for the device.

Use undo ntp-service unicast-server to remove an NTP server specified for the device.

Syntax

ntp-service unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | maxpoll maxpoll-interval | minpoll minpoll-interval | priority | source interface-type interface-number | version number ] *

undo ntp-service unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ]

Default

No NTP server is specified.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies an NTP server by its host name, a case-insensitive string of 1 to 253 characters.

ip-address: Specifies an NTP server by its IP address. It must be a unicast address, rather than a broadcast address, a multicast address, or the IP address of the local clock.

priority: Specifies this NTP server as the first choice under the same condition.

source interface-type interface-number: Specifies the source interface for NTP messages. For an NTP message the local device sends to the NTP server, the source IP address is the primary IP address of this interface. The interface-type interface-number argument represents the interface type and number. If you do not specify this option, the device searches the routing table for the outgoing interface and uses the primary IP address of the outgoing interface as the source IP address of the NTP messages.

Usage guidelines

When you specify an NTP server for the device, the device is synchronized to the NTP server, but the NTP server is not synchronized to the device.

To synchronize the PE to a PE or CE in a VPN instance, provide vpn-instance vpn-instance-name in your command.

If you include the vpn-instance vpn-instance-name option in the undo ntp-service unicast-server command, the command removes the NTP server in the specified VPN instance. If you do not include the vpn-instance vpn-instance-name option in the command, the command removes the NTP server on the public network.

After you specify an NTP server for a device, the device polls and synchronizes its time with the server at the minimum polling interval. If the time discrepancy between the two maintains in the acceptable range, the system gradually increases the polling interval until the maximum polling interval is reached. If the time discrepancy exceeds the acceptable range repeatedly, the polling interval decreases gradually.

The polling interval configuration takes effect from the next polling.

Examples

# Specify NTP server 10.1.1.1 for the device, and configure the device to run NTP version 4.

<Sysname> system-view

[Sysname] ntp-service unicast-server 10.1.1.1 version 4

Related commands

ntp-service authentication enable

ntp-service authentication-keyid

ntp-service reliable authentication-keyid

SNTP commands

display sntp ipv6 sessions

Use display sntp ipv6 sessions to display information about all IPv6 SNTP associations.

Syntax

display sntp ipv6 sessions

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about all IPv6 SNTP associations.

<Sysname> display sntp ipv6 sessions

SNTP server: 3001::1

Stratum: 16

Version: 4

Last receive time: No packet was received.

SNTP server: 3001::100

Stratum: 3

Version: 4

Last receive time: Fri, Oct 21 2019 11:28:28.058 (Synced)

Table 7 Command output

Field	Description
SNTP server	SNTP server (NTP server). If this field displays ::, the IPv6 address of the NTP server has not been resolved successfully.
Stratum	Clock stratum level. The stratum level determines the clock precision. The value is in the range of 0 to 16. A lower stratum level represents higher clock accuracy. A stratum 16 clock is not synchronized.
Version	NTP version.
Last receive time	Time when the last message was received: · Synced—The local clock is synchronized to the NTP server. · No packet was received—The device has not received any SNTP session information from the server.

‌

display sntp sessions

Use display sntp sessions to display information about all IPv4 SNTP associations.

Syntax

display sntp sessions

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about all IPv4 SNTP associations.

<Sysname> display sntp sessions

SNTP server Stratum Version Last receive time

1.0.1.11 2 4 Tue, May 17 2019 9:11:20.833 (Synced)

Table 8 Command output

Field	Description
SNTP server	SNTP server (NTP server). If this field displays 0.0.0.0, the IP address of the NTP server has not been resolved successfully.
Stratum	Clock stratum level. The stratum level determines the clock precision. The value is in the range of 0 to 16. A lower stratum level represents higher clock accuracy. A stratum 16 clock is not synchronized.
Version	NTP version.
Last receive time	Time when the last message was received. Synced means the local clock is synchronized to the NTP server.

‌

sntp authentication enable

Use sntp authentication enable to enable SNTP authentication.

Use undo sntp authentication enable to disable SNTP authentication.

Syntax

sntp authentication enable

undo sntp authentication enable

Default

SNTP authentication is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You need to enable SNTP authentication in networks that require time synchronization security to make sure SNTP clients are synchronized only to authenticated NTP servers.

To authenticate an NTP server, set an authentication key and specify it as a trusted key.

Examples

# Enable SNTP authentication.

<Sysname> system-view

[Sysname] sntp authentication enable

Related commands

sntp authentication-keyid

sntp reliable authentication-keyid

sntp authentication-keyid

Use sntp authentication-keyid to set an SNTP authentication key.

Use undo sntp authentication-keyid to remove an SNTP authentication key.

Syntax

sntp authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *

undo sntp authentication-keyid keyid

Default

No SNTP authentication key exists.

Views

System view

Predefined user roles

network-admin

Parameters

keyid: Specifies an authentication key ID in the range of 1 to 4294967295.

authentication-mode: Specifies an authentication algorithm.

· hmac-sha-1: Specifies the HMAC-SHA-1 algorithm. This keyword is not supported in FIPS mode.

· hmac-sha-256: Specifies the HMAC-SHA-256 algorithm.

· hmac-sha-384: Specifies the HMAC-SHA-384 algorithm.

· hmac-sha-512: Specifies the HMAC-SHA-512 algorithm.

· md5: Specifies the MD5 algorithm. This keyword is not supported in FIPS mode.

cipher: Specifies an authentication key in encrypted form.

simple: Specifies an authentication key in plaintext form. For security purposes, the authentication key specified in plaintext form will be stored in encrypted form.

string: Specifies a case-sensitive authentication key. Its plaintext form is a string of 1 to 32 characters. Its encrypted form is a string of 1 to 73 characters.

acl ipv4-acl-number: Specifies an IPv4 basic ACL by its number in the range of 2000 to 2999. Only the devices permitted by the ACL can use the key ID for authentication.

ipv6 acl ipv6-acl-number: Specifies an IPv6 basic ACL by its number in the range of 2000 to 2999. Only the devices permitted by the ACL can use the key ID for authentication.

Usage guidelines

You need to enable SNTP authentication in networks that require time synchronization security to make sure SNTP clients are synchronized only to authenticated NTP servers.

· The device uses the acl ipv4-acl-number or acl ipv6-acl-number option to identify whether the peer device can use the key ID only when an SNTP session to the peer device is to be established or has already existed.

· If the specified ACL does not exist, or the specified ACL does not contain any rule, any device can use the key ID for authentication.

To ensure a successful authentication, configure the same key ID, authentication algorithm, and key on the time server and client.

After you configure an SNTP authentication key, use the sntp reliable authentication-keyid command to set it as a trusted key. The key automatically changes to untrusted after you delete the key. In this case, you do not need to execute the undo sntp-service reliable authentication-keyid command.

The security strength of the five algorithms, in descending order, is HMAC-SHA-512, HMAC-SHA-384, HMAC-SHA-256, HMAC-SHA-1, and MD5.

You can set a maximum of 128 authentication keys by executing the command.

Examples

# Set an MD5 authentication key, with the key ID of 10 and key value of BetterKey. Input the key in plain text.

<Sysname> system-view

[Sysname] sntp authentication enable

[Sysname] sntp authentication-keyid 10 authentication-mode md5 simple BetterKey

Related commands

sntp authentication enable

sntp reliable authentication-keyid

sntp enable

Use sntp enable to enable the SNTP service.

Use undo sntp enable to disable the SNTP service.

Syntax

sntp enable

undo sntp enable

Default

The SNTP service is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Examples

# Enable the SNTP service.

<Sysname> system-view

[Sysname] sntp enable

Related commands

ntp-service enable

sntp ipv6 unicast-server

Use sntp ipv6 unicast-server to specify an IPv6 NTP server for the device.

Use undo sntp ipv6 unicast-server to remove the IPv6 NTP server specified for the device.

Syntax

sntp ipv6 unicast-server { server-name | ipv6-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | source interface-type interface-number ] *

undo sntp ipv6 unicast-server { server-name | ipv6-address } [ vpn-instance vpn-instance-name ]

Default

No IPv6 NTP server is specified.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies an NTP server by its host name, a case-insensitive string of 1 to 253 characters.

ipv6-address: Specifies an NTP server by its IPv6 address.

vpn-instance vpn-instance-name: Specifies MPLS L3VPN instance to which the NTP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the NTP server is on the public network, do not specify this option.

Usage guidelines

When you specify an IPv6 NTP server for the device, the device is synchronized to the NTP server, but the NTP server is not synchronized to the device.

To synchronize the PE to a PE or CE in a VPN instance, provide the vpn-instance vpn-instance-name option in your command.

If the specified IPv6 address of the NTP server is a link local address, you must specify the source interface for NTP messages and cannot specify a VPN instance for the NTP server.

Examples

# Specify the IPv6 NTP server 3001::1 for the device.

<Sysname> system-view

[Sysname] sntp ipv6 unicast-server 3001::1

Related commands

sntp authentication enable

sntp authentication-keyid

sntp reliable authentication-keyid

Use sntp reliable authentication-keyid to specify a trusted key.

Use undo sntp reliable authentication-keyid to remove the trusted key.

Syntax

sntp reliable authentication-keyid keyid

undo sntp reliable authentication-keyid keyid

Default

No trusted key is specified.

Views

System view

Predefined user roles

network-admin

Parameters

keyid: Specifies an authentication key by its ID in the range of 1 to 4294967295.

Usage guidelines

If SNTP is enabled, the SNTP client is synchronized only to an NTP server that provides a trusted key.

Before you use the command, make sure SNTP authentication is enabled and an authentication key is configured. The key automatically changes to untrusted after you delete the key. In this case, you do not need to execute the undo sntp-service reliable authentication-keyid command.

Examples

# Enable NTP authentication, and specify the MD5 encryption algorithm, with the key ID of 37 and key value of BetterKey.

<Sysname> system-view

[Sysname] sntp authentication enable

[Sysname] sntp authentication-keyid 37 authentication-mode md5 simple BetterKey

# Specify this key as a trusted key.

[Sysname] sntp reliable authentication-keyid 37

Related commands

sntp authentication-keyid

sntp authentication enable

sntp time-offset-threshold

Use sntp time-offset-threshold to specify the SNTP time-offset thresholds for log and trap outputs.

Use undo sntp time-offset-threshold to restore the default.

Syntax

sntp time-offset-threshold { log log-threshold | trap trap-threshold } *

undo sntp time-offset-threshold

Default

No SNTP time-offset thresholds are set for log and trap outputs.

Views

System view

Predefined user roles

network-admin

Parameters

log log-threshold: Specifies the SNTP time-offset threshold for log output. The value range for the log-threshold argument is 128 to 60000, in milliseconds.

trap trap-threshold: Specifies the SNTP time-offset threshold for trap output. The value range for the trap-threshold argument is 128 to 60000, in milliseconds.

Usage guidelines

By default, the SNTP client synchronizes the time with the server and outputs a log and a trap when the time offset between the client and server exceeds 128 ms for multiple times.

After you set the thresholds, the SNTP client synchronizes the time with the server when the time offset exceeds 128 ms for multiple times, but outputs a log or trap only when the time offset exceeds the specified threshold.

Examples

# Set the SNTP time-offset thresholds for log and trap outputs to 500 ms and 600 ms, respectively.

<Sysname> system-view

[Sysname] sntp time-offset-threshold log 500 trap 600

sntp unicast-server

Use sntp unicast-server to specify an NTP server for the device.

Use undo sntp unicast-server to remove an NTP server specified for the device.

Syntax

sntp unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ] [ authentication-keyid keyid | source interface-type interface-number | version number ] *

undo sntp unicast-server { server-name | ip-address } [ vpn-instance vpn-instance-name ]

Default

No NTP server is specified.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies an NTP server by its host name, a case-insensitive string of 1 to 253 characters.

ip-address: Specifies an NTP server by its IP address. It must be a unicast address, rather than a broadcast address, a multicast address, or the IP address of the local clock.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance VPN to which the NTP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the NTP server is on the public network, do not specify this option.

source interface-type interface-number: Specifies the source interface for NTP messages. In an NTP message the local device sends to the NTP server, the source IP address is the primary IP address of this interface. The interface-type interface-number argument represents the interface type and number.

version number: Specifies the NTP version. In non-FIPS mode, the value range for the number argument is 1 to 4 and the default value is 4. In FIPS mode, the value range for the number argument is 3 to 4 and the default value is 4.

Usage guidelines

When you specify an NTP server for the device, the device is synchronized to the NTP server, but the NTP server is not synchronized to the device.

To synchronize the PE to a PE or CE in a VPN instance, provide vpn-instance vpn-instance-name in your command.

Examples

# Specify NTP server 10.1.1.1 for the device, and configure the device to run NTP version 4.

<Sysname> system-view

[Sysname] sntp unicast-server 10.1.1.1 version 4

Related commands

sntp authentication enable

sntp authentication-keyid

sntp reliable authentication-keyid

21-Network Management and Monitoring Command Reference

display ntp-service ipv6 sessions

display ntp-service trace

ntp-service authentication enable

ntp-service authentication-keyid

ntp-service broadcast-server

ntp-service max-dynamic-sessions

ntp-service multicast-server

ntp-service reliable authentication-keyid

ntp-service time-offset-limit

ntp-service time-offset-threshold

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us