Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-NTP configuration | 598.49 KB |
Restrictions and guidelines: NTP configuration
Client/server mode tasks at a glance
Symmetric active/passive mode tasks at a glance
Broadcast mode tasks at a glance
Multicast mode tasks at a glance
Configuring NTP association mode
Configuring NTP in client/server mode
Configuring NTP in symmetric active/passive mode
Configuring NTP in broadcast mode
Configuring NTP in multicast mode
Configuring the local clock as the reference source
Configuring access control rights
Configuring NTP authentication
Configuring NTP authentication in client/server mode
Configuring NTP authentication in symmetric active/passive mode
Configuring NTP authentication in broadcast mode
Configuring NTP authentication in multicast mode
Controlling NTP packet sending and receiving
Specifying the source address for NTP messages
Disabling an interface from receiving NTP messages
Configuring the maximum number of dynamic associations
Setting a DSCP value for NTP packets
Controlling NTP time synchronization
Specifying the NTP time-offset thresholds for log and trap outputs
Displaying session information about the NTP service
NTP configuration examples (on ACs)
Example: Configuring NTP client/server association mode
Example: Configuring IPv6 NTP client/server association mode
Example: Configuring NTP symmetric active/passive association mode
Example: Configuring IPv6 NTP symmetric active/passive association mode
Example: Configuring authenticated NTP in client/server association mode
Relationship between SNTP and NTP
Restrictions and guidelines: SNTP configuration
Client/server mode tasks at a glance
Broadcast mode tasks at a glance
Configuring SNTP in client/server mode
Specifying an NTP server for the device
Configuring SNTP authentication in client/server mode
Configuring SNTP in broadcast mode
Configuring the SNTP broadcast client
Configuring SNTP authentication in broadcast mode
Specifying the SNTP time-offset thresholds for log and trap outputs
Verifying and maintaining SNTP
Configuring NTP
About NTP
NTP is used to synchronize system clocks among distributed time servers and clients on a network. NTP runs over UDP and uses UDP port 123.
NTP application scenarios
Various tasks, including network management, charging, auditing, and distributed computing depend on accurate and synchronized system time setting on the network devices. NTP is typically used in large networks to dynamically synchronize time among network devices.
NTP guarantees higher clock accuracy than manual system clock setting. In a small network that does not require high clock accuracy, you can keep time synchronized among devices by changing their system clocks one by one.
NTP working mechanism
Figure 1 shows how NTP synchronizes the system time between two devices (Device A and Device B, in this example). Assume that:
· Prior to the time synchronization, the time is set to 10:00:00 am for Device A and 11:00:00 am for Device B.
· Device B is used as the NTP server. Device A is to be synchronized to Device B.
· It takes 1 second for an NTP message to travel from Device A to Device B, and from Device B to Device A.
· It takes 1 second for Device B to process the NTP message.
The synchronization process is as follows:
2. Device A sends Device B an NTP message, which is timestamped when it leaves Device A. The time stamp is 10:00:00 am (T1).
3. When this NTP message arrives at Device B, Device B adds a timestamp showing the time when the message arrived at Device B. The timestamp is 11:00:01 am (T2).
4. When the NTP message leaves Device B, Device B adds a timestamp showing the time when the message left Device B. The timestamp is 11:00:02 am (T3).
5. When Device A receives the NTP message, the local time of Device A is 10:00:03 am (T4).
Up to now, Device A can calculate the following parameters based on the timestamps:
· The roundtrip delay of the NTP message: Delay = (T4 – T1) – (T3 – T2) = 2 seconds.
· Time difference between Device A and Device B: Offset = [ (T2 – T1) + (T3 – T4) ] /2 = 1 hour.
Based on these parameters, Device A can be synchronized to Device B.
This is only a rough description of the work mechanism of NTP. For more information, see the related protocols and standards.
NTP architecture
|
|
CAUTION: When the device acts as an NTP client, the NTP server's clock stratum must be not smaller than 0 and not larger than 14. If the NTP server's clock stratum is larger than 14, the device will not synchronize with that server's clock. You can log in to the NTP server to change its clock stratum by executing the ntp-service refclock-master command. · To check the stratum for an IPv4 NTP server, execute the display ntp-service sessions command on the device and check the stra field in the output. · To check the stratum for an IPv6 NTP server, execute the display ntp-service ipv6 sessions command on the device and check the Clock stratum field in the output. |
NTP network architecture
Figure 2 NTP network architecture
As shown in Figure 2, the NTP network is a hierarchical distributed system that contains multiple tiers of clocks to provide time synchronization services. This architecture helps reduce dependency on a single time source while providing redundancy and load balancing. The following are the key components of the NTP network:
· Stratum 0—The highest precision devices, such as atomic clocks, GPS, or radio clocks. They do not directly connect to the network but provide time to stratum 1 servers through wired or wireless connections.
· Stratum 1—Servers directly connected to stratum 0 devices. They act as primary time servers or reference clocks. Stratum 1 servers are typically used to provide precise time for public or private networks.
· Stratum 2—Servers connected to stratum 1 servers, receiving time from one or more stratum 1 servers and then providing time to lower-stratum servers or clients.
· Stratum 3 through stratum 15—Servers that receive time from servers of a higher stratum and that distribute this time down. Each stratum introduces some delay and jitter, but time synchronization accuracy can be achieved through complex algorithms and the use of multiple time sources.
If the devices in a network cannot synchronize to an authoritative time source, you can perform the following tasks:
· Select a device that has a relatively accurate clock from the network.
· Use the local clock of the device as the reference clock to synchronize other devices in the network.
NTP stratum
The NTP clock stratum represents the hierarchical level of an NTP server within the time synchronization structure. The stratum value is in the range of 1 to 15, with a larger value indicating a greater distance from the reference time source, which might result in reduced synchronization accuracy.
The clock stratum is typically determined automatically based on the upstream time source to which the server is connected. An NTP client only synchronizes with an NTP server whose clock stratum is less than or equal to its own, and the server’s stratum must be in the range of 0 to 14. Therefore, if you configure the device as an NTP server, you must set its clock stratum according to the network hierarchy.
NTP association modes
About NTP association modes
NTP supports the following association modes:
· Client/server mode
· Symmetric active/passive mode
· Broadcast mode
· Multicast mode
You can select one or more association modes for time synchronization. Table 1 provides detailed description for the four association modes. If the device acts as an NTP client and receives multiple NTP clock signals, it selects the optimal NTP clock for time synchronization.
In this document, an "NTP server" or a "server" refers to a device that operates as an NTP server in client/server mode. Time servers refer to all the devices that can provide time synchronization, including NTP servers, NTP symmetric peers, broadcast servers, and multicast servers.
|
Mode |
Synchronization direction |
Application scenario |
|
Client/server |
From the server to the client |
As shown in the NTP architecture diagram in "NTP architecture," this mode is intended for scenarios where devices with a higher stratum value obtain time from a device with a lower stratum value. You are required to specify the IP address of the NTP server on the client. |
|
Symmetric active/passive |
· If the symmetric peers are the same in the clock stratum, they can be synchronized to each other. · If the symmetric peers are different in the clock stratum, the peer with a smaller clock stratum will synchronize the clock of the peer with a greater clock stratum. |
As shown in the NTP architecture diagram in "NTP architecture," this mode is most often used between servers with the same stratum to operate as a backup for one another. If a server fails to communicate with all the servers of a lower stratum, the server can still synchronize to the servers of the same stratum. You are required to specify the IP address of the symmetric passive peer on the symmetric active peer. |
|
Broadcast |
From the broadcast server to the client. |
A broadcast server sends clock synchronization messages to synchronize clients in the same subnet. As shown in the NTP architecture diagram in "NTP architecture," broadcast mode is intended for configurations involving one or a few servers and a potentially large client population. The broadcast mode has lower time accuracy than the client/server and symmetric active/passive modes because only the broadcast servers send clock synchronization messages. |
|
Multicast |
From the multicast server to the client. |
A multicast server can provide time synchronization for clients in the same subnet or in different subnets. The multicast mode has lower time accuracy than the client/server and symmetric active/passive modes. |
Operating mechanism for client/server association mode
NTP client/server mode allows an NTP server to maintain time information and allow NTP clients to communicate with the server to calibrate their clocks. In this mode, clients can accurately synchronize time with the server, ensuring time consistency across the network.
The time synchronization process in NTP client/server mode is as follows:
1. The client periodically sends time synchronization request messages to the server, with the mode field set to 3, indicating client mode. The client does not concern about the server's reachability or stratum.
2. Upon receiving the synchronization request from the client, the server fills the current time information in the response message and sets the mode field to 4, indicating server mode. Then, it sends the message back to the client. During this process, the server does not need to retain any state information about the client.
3. Upon receiving the response from the server, the client performs clock filtering and selection, and synchronizes its local clock to that of the optimal clock.
Figure 3 Operating mechanism for client/server association mode
Operating mechanism for symmetric active/passive mode
In symmetric active/passive mode, time synchronization is implemented through communication and negotiation between two nodes (peers). Both peers can act as the time source, with the more reliable and accurate time from both nodes as the optimal time.
The time synchronization process in symmetric active/passive mode is as follows:
1. The symmetric active peer first sends a message with the mode field set to 1 (indicating an active peer), and the passive peer responds with a message with the mode field set to 2 (indicating a passive peer) to establish a peer relationship.
2. The peers send and receive time information for each other and use it to adjust their clocks. During this process, the two peers calculate the round-trip time delay and offset, and adjust their local clocks accordingly.
The peer with a smaller clock stratum will synchronize the clock of the peer with a greater clock stratum. The stratum indicates the distance from the standard time source. Nodes with a lower stratum are determined as closer to the standard time source, and therefore more reliable.
If the active peer can synchronize time with multiple time servers, it performs clock filtering and selection after receiving a response message. NTP uses a series of complex algorithms, such as clock filtering, offset prediction, and jitter estimation to select the best time sample and adjust the local time accordingly. Through these algorithms, the peers select the most stable and reliable time sample over a period as the basis for time synchronization.
Figure 4 Operating mechanism for symmetric active/passive mode
Operating mechanism for broadcast mode
NTP broadcast mode allows an NTP server to broadcast time information to the entire network. In this mode, any NTP clients listening to the broadcast can receive the time information and synchronize their system clocks accordingly.
The time synchronization process in NTP broadcast mode is as follows:
1. The broadcast server periodically sends clock synchronization request messages to broadcast address 255.255.255.255, with the mode field set to 5, indicating broadcast mode.
2. The broadcast client listens to the broadcast messages from the server. When the client receives the first broadcast message, the client and the server start to exchange messages to calculate the network delay between them.
3. The client enters broadcast mode, continues to listen for subsequent broadcast messages, and synchronizes its local clock based on the time information in these messages. Then, only the broadcast server sends clock synchronization messages.
Figure 5 Operating mechanism for broadcast mode
Operating mechanism for multicast mode
NTP multicast mode allows an NTP server to send time synchronization messages to user-configured IPv4 or IPv6 multicast addresses. A multicast server can provide time synchronization for clients in the same subnet or in different subnets. Only clients that have joined a multicast group can receive and process these messages.
The time synchronization process in NTP multicast mode is as follows:
1. The multicast server periodically sends clock synchronization request messages to the user-configured IPv4 or IPv6 multicast address, with the mode field set to 5, indicating multicast mode.
2. The broadcast client listens to the broadcast messages from the server. When the client receives the first broadcast message, the client and the server start to exchange messages to calculate the network delay between them.
3. The client enters multicast mode, continues to listen for subsequent multicast messages, and synchronizes its local clock based on the time information in these messages.
Figure 6 Operating mechanism for multicast mode
NTP security
To improve time synchronization security, NTP provides the access control and authentication functions.
NTP access control
You can control NTP access by using an ACL. The access rights are in the following order, from the least restrictive to the most restrictive:
· Peer—Allows time requests and NTP control queries (such as alarms, authentication status, and time server information) and allows the local device to synchronize itself to a peer device.
· Server—Allows time requests and NTP control queries, but does not allow the local device to synchronize itself to a peer device.
· Synchronization—Allows only time requests from a system whose address passes the access list criteria.
· Query—Allows only NTP control queries from a peer device to the local device.
When the device receives an NTP request, it matches the request against the access rights in order from the least restrictive to the most restrictive: peer, server, synchronization, and query.
· If no NTP access control is configured, the peer access right applies.
· If the IP address of the peer device matches a permit statement in an ACL, the access right is granted to the peer device. If a deny statement or no ACL is matched, no access right is granted.
· If no ACL is specified for an access right or the ACL specified for the access right is not created, the access right is not granted.
· If none of the ACLs specified for the access rights is created, the peer access right applies.
· If none of the ACLs specified for the access rights contains rules, no access right is granted.
This feature provides minimal security for a system running NTP. A more secure method is NTP authentication.
NTP authentication
Use this feature to authenticate the NTP messages for security purposes. If an NTP message passes authentication, the device can receive it and get time synchronization information. If not, the device discards the message. This function makes sure the device does not synchronize to an unauthorized time server.
Figure 7 NTP authentication
As shown in Figure 7, NTP authentication is performed as follows:
2. The sender uses the key identified by the key ID to calculate a digest for the NTP message through the MD5/HMAC authentication algorithm. Then it sends the calculated digest together with the NTP message and key ID to the receiver.
3. Upon receiving the message, the receiver performs the following actions:
a. Finds the key according to the key ID in the message.
b. Uses the key and the MD5/HMAC authentication algorithm to calculate the digest for the message.
c. Compares the digest with the digest contained in the NTP message.
- If they are different, the receiver discards the message.
- If they are the same and an NTP association is not required to be established, the receiver provides a response packet. For information about NTP associations, see "Configuring the maximum number of dynamic associations."
- If they are the same and an NTP association is required to be established or has existed, the local device determines whether the sender is allowed to use the authentication ID. If the sender is allowed to use the authentication ID, the receiver accepts the message. If the sender is not allowed to use the authentication ID, the receiver discards the message.
Protocols and standards
· RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis
· RFC 5905, Network Time Protocol Version 4: Protocol and Algorithms Specification
Restrictions and guidelines: NTP configuration
· You cannot configure both NTP and SNTP on the same device. NTP and SNTP communicate using UDP port 123. If another service module uses this port, the device will fail to enable NTP and SNTP. If you enable NTP or SNTP, other service modules cannot use port 123.
· NTP is supported only on VLAN interfaces and tunnel interfaces.
· Do not configure NTP settings on an aggregate member port.
· The NTP service and SNTP service are mutually exclusive. You can only enable either NTP service or SNTP service at a time.
· To avoid frequent time changes or even synchronization failures, do not specify more than one reference source on a network.
· For correct time synchronization, make sure the time offset between the system time and the NTP clock source is less than 68 years.
|
|
CAUTION: When the device acts as an NTP client, the NTP server's clock stratum must be not smaller than 0 and not larger than 14. If the NTP server's clock stratum is larger than 14, the device will not synchronize with that server's clock. You can log in to the NTP server to change its clock stratum by executing the ntp-service refclock-master command. · To check the stratum for an IPv4 NTP server, execute the display ntp-service sessions command on the device and check the stra field in the output. · To check the stratum for an IPv6 NTP server, execute the display ntp-service ipv6 sessions command on the device and check the Clock stratum field in the output. |
Client/server mode tasks at a glance
Tasks on the client
By default, the NTP service is enabled. You do not need to perform this step.
2. Configuring NTP in client/server mode
3. (Optional.) Configuring access control rights
4. (Optional.) Configuring NTP authentication in client/server mode
5. (Optional.) Controlling NTP packet sending and receiving
¡ Specifying the source address for NTP messages
¡ Disabling an interface from receiving NTP messages
¡ Configuring the maximum number of dynamic associations
¡ Setting a DSCP value for NTP packets
6. (Optional.) Controlling NTP time synchronization
7. (Optional.) Specifying the NTP time-offset thresholds for log and trap outputs
Tasks on the server
By default, the NTP service is enabled. You do not need to perform this step.
2. Configuring NTP in client/server mode
You must enable the NTP server. By default, the NTP server is enabled. You do not need to perform this step.
3. (Optional.) Configuring the local clock as the reference source
4. (Optional.) Configuring access control rights
5. (Optional.) Configuring NTP authentication in client/server mode
6. (Optional.) Controlling NTP packet sending and receiving
¡ Specifying the source address for NTP messages
¡ Disabling an interface from receiving NTP messages
¡ Configuring the maximum number of dynamic associations
¡ Setting a DSCP value for NTP packets
Symmetric active/passive mode tasks at a glance
Tasks on the active peer
By default, the NTP service is enabled. You do not need to perform this step.
2. Configuring NTP in symmetric active/passive mode
3. (Optional.) Configuring the local clock as the reference source
4. (Optional.) Configuring access control rights
5. (Optional.) Configuring NTP authentication in symmetric active/passive mode
6. (Optional.) Controlling NTP packet sending and receiving
¡ Specifying the source address for NTP messages
¡ Disabling an interface from receiving NTP messages
¡ Configuring the maximum number of dynamic associations
¡ Setting a DSCP value for NTP packets
7. (Optional.) Controlling NTP time synchronization
8. (Optional.) Specifying the NTP time-offset thresholds for log and trap outputs
Tasks on the passive peer
By default, the NTP service is enabled. You do not need to perform this step.
2. Configuring NTP in symmetric active/passive mode
3. (Optional.) Configuring the local clock as the reference source
4. (Optional.) Configuring access control rights
5. (Optional.) Configuring NTP authentication in symmetric active/passive mode
6. (Optional.) Controlling NTP packet sending and receiving
¡ Specifying the source address for NTP messages
¡ Disabling an interface from receiving NTP messages
¡ Configuring the maximum number of dynamic associations
¡ Setting a DSCP value for NTP packets
7. (Optional.) Controlling NTP time synchronization
8. (Optional.) Specifying the NTP time-offset thresholds for log and trap outputs
Broadcast mode tasks at a glance
Tasks on the client
By default, the NTP service is enabled. You do not need to perform this step.
2. Configuring NTP in broadcast mode
3. (Optional.) Configuring access control rights
4. (Optional.) Configuring NTP authentication in broadcast mode
5. (Optional.) Controlling NTP packet sending and receiving
¡ Specifying the source address for NTP messages
¡ Disabling an interface from receiving NTP messages
¡ Configuring the maximum number of dynamic associations
¡ Setting a DSCP value for NTP packets
6. (Optional.) Controlling NTP time synchronization
7. (Optional.) Specifying the NTP time-offset thresholds for log and trap outputs
Tasks on the server
By default, the NTP service is enabled. You do not need to perform this step.
2. Configuring NTP in broadcast mode
3. (Optional.) Configuring the local clock as the reference source
4. (Optional.) Configuring access control rights
5. (Optional.) Configuring NTP authentication in broadcast mode
6. (Optional.) Controlling NTP packet sending and receiving
¡ Specifying the source address for NTP messages
¡ Disabling an interface from receiving NTP messages
¡ Configuring the maximum number of dynamic associations
¡ Setting a DSCP value for NTP packets
Multicast mode tasks at a glance
Tasks on the client
By default, the NTP service is enabled. You do not need to perform this step.
2. Configuring NTP in multicast mode
3. (Optional.) Configuring access control rights
4. (Optional.) Configuring NTP authentication in multicast mode
5. (Optional.) Controlling NTP packet sending and receiving
¡ Specifying the source address for NTP messages
¡ Disabling an interface from receiving NTP messages
¡ Configuring the maximum number of dynamic associations
¡ Setting a DSCP value for NTP packets
6. (Optional.) Controlling NTP time synchronization
7. (Optional.) Specifying the NTP time-offset thresholds for log and trap outputs
Tasks on the server
By default, the NTP service is enabled. You do not need to perform this step.
2. Configuring NTP in multicast mode
3. (Optional.) Configuring the local clock as the reference source
4. (Optional.) Configuring access control rights
5. (Optional.) Configuring NTP authentication in multicast mode
6. (Optional.) Controlling NTP packet sending and receiving
¡ Specifying the source address for NTP messages
¡ Disabling an interface from receiving NTP messages
¡ Configuring the maximum number of dynamic associations
¡ Setting a DSCP value for NTP packets
Enabling the NTP service
Restrictions and guidelines
NTP and SNTP are mutually exclusive. Before you enable NTP, make sure SNTP is disabled.
Procedure
1. Enter system view.
system-view
2. Enable the NTP service.
ntp-service enable
By default, the NTP service is disabled.
Configuring NTP association mode
Configuring NTP in client/server mode
Restrictions and guidelines
To configure NTP in client/server mode, specify an NTP server for the client.
For a client to synchronize to an NTP server, make sure the server is synchronized by other devices or uses its local clock as the reference source.
If the stratum level of a server is higher than or equal to a client, the client will not synchronize to that server.
You can specify multiple servers for a client by executing the ntp-service unicast-server or ntp-service ipv6 unicast-server command multiple times.
Configuring the NTP client
1. Enter system view.
system-view
2. Specify an NTP server for the device.
IPv4:
ntp-service unicast-server { server-name | ip-address } [ authentication-keyid keyid | maxpoll maxpoll-interval | minpoll minpoll-interval | priority | source interface-type interface-number | version number ] *
IPv6:
ntp-service ipv6 unicast-server { server-name | ipv6-address } [ authentication-keyid keyid | maxpoll maxpoll-interval | minpoll minpoll-interval | priority | source interface-type interface-number ] *
By default, no NTP server is specified.
Configuring NTP in symmetric active/passive mode
Restrictions and guidelines
To configure NTP in symmetric active/passive mode, specify a symmetric passive peer for the active peer.
For a symmetric passive peer to process NTP messages from a symmetric active peer, execute the ntp-service enable command on the symmetric passive peer to enable NTP.
For time synchronization between the symmetric active peer and the symmetric passive peer, make sure either or both of them are in synchronized state.
You can specify multiple symmetric passive peers by executing the ntp-service unicast-peer or ntp-service ipv6 unicast-peer command multiple times.
Procedure
1. Enter system view.
system-view
2. Specify a symmetric passive peer for the device.
IPv4:
ntp-service unicast-peer { peer-name | ip-address } [ authentication-keyid keyid | maxpoll maxpoll-interval | minpoll minpoll-interval | priority | source interface-type interface-number | version number ] *
IPv6:
ntp-service ipv6 unicast-peer { peer-name | ipv6-address } [ authentication-keyid keyid | maxpoll maxpoll-interval | minpoll minpoll-interval | priority | source interface-type interface-number ] *
By default, no symmetric passive peer is specified.
3. Enable NTP server.
IPv4 network:
ntp-service time-server enable
By default, NTP server is enabled.
IPv6 network:
ntp-service ipv6 time-server enable
By default, IPv6 NTP server is enabled.
A device can synchronize the time of other devices through NTP only when it meets the following conditions:
¡ NTP server is enabled on the device by using the ntp-service time-server enable command.
¡ The device is permitted by the ACLs configured in the ntp-service acl or ntp-service ipv6 acl command on the peer devices.
If you disable NTP server on the device, the device cannot synchronize the time of other devices through NTP.
Configuring NTP in broadcast mode
Restrictions and guidelines
To configure NTP in broadcast mode, you must configure an NTP broadcast client and an NTP broadcast server.
For a broadcast client to synchronize to a broadcast server, make sure the broadcast server is synchronized by other devices or uses its local clock as the reference source.
Configuring the broadcast client
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the device to operate in broadcast client mode.
ntp-service broadcast-client
By default, the device does not operate in any NTP association mode.
After you execute the command, the device receives NTP broadcast messages from the specified interface.
Configuring the broadcast server
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the device to operate in NTP broadcast server mode.
ntp-service broadcast-server [ authentication-keyid keyid | version number ] *
By default, the device does not operate in any NTP association mode.
After you execute the command, the device sends NTP broadcast messages from the specified interface.
4. Enable NTP server.
IPv4 network:
ntp-service time-server enable
By default, NTP server is enabled.
IPv6 network:
ntp-service ipv6 time-server enable
By default, IPv6 NTP server is enabled.
A device can synchronize the time of other devices through NTP only when it meets the following conditions:
¡ NTP server is enabled on the device by using the ntp-service time-server enable command.
¡ The device is permitted by the ACLs configured in the ntp-service acl or ntp-service ipv6 acl command on the peer devices.
If you disable NTP server on the device, the device cannot synchronize the time of other devices through NTP.
Configuring NTP in multicast mode
Restrictions and guidelines
To configure NTP in multicast mode, you must configure an NTP multicast client and an NTP multicast server.
For a multicast client to synchronize to a multicast server, make sure the multicast server is synchronized by other devices or uses its local clock as the reference source.
Configuring a multicast client
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the device to operate in multicast client mode.
IPv4:
ntp-service multicast-client [ ip-address ]
IPv6:
ntp-service ipv6 multicast-client ipv6-address
By default, the device does not operate in any NTP association mode.
After you execute the command, the device receives NTP multicast messages from the specified interface.
Configuring the multicast server
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the device to operate in multicast server mode.
IPv4:
ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | ttl ttl-number | version number ] *
IPv6:
ntp-service ipv6 multicast-server ipv6-address [ authentication-keyid keyid | ttl ttl-number ] *
By default, the device does not operate in any NTP association mode.
After you execute the command, the device sends NTP multicast messages from the specified interface.
4. Enable NTP server.
IPv4 network:
ntp-service time-server enable
By default, NTP server is enabled.
IPv6 network:
ntp-service ipv6 time-server enable
By default, IPv6 NTP server is enabled.
A device can synchronize the time of other devices through NTP only when it meets the following conditions:
¡ NTP server is enabled on the device by using the ntp-service time-server enable command.
¡ The device is permitted by the ACLs configured in the ntp-service acl or ntp-service ipv6 acl command on the peer devices.
If you disable NTP server on the device, the device cannot synchronize the time of other devices through NTP.
Configuring the local clock as the reference source
About this task
The clock stratum of an NTP server that obtains time synchronization from an authoritative clock (such as an atomic clock) is typically set to 1 and used as the primary time server to synchronize the clocks of other devices in the network. The NTP distance between devices and the primary time server in the network, which is the number of servers in the NTP synchronization chain, determines the stratum of the device clocks.
If the devices in a network cannot synchronize to an authoritative time source, you can perform the following tasks:
· Select a device that has a relatively accurate clock from the network.
· Use the local clock of the device as the reference clock to synchronize other devices in the network.
Restrictions and guidelines
Make sure the local clock can provide the time accuracy required for the network. After you configure the local clock as the reference source, the local clock is synchronized, and can operate as a time server to synchronize other devices in the network. If the local clock is incorrect, timing errors occur.
The system time reverts to the initial BIOS default after a reboot. As a best practice, do not configure the local clock as the reference source or configure the device as a time server.
The system time reverts to the initial BIOS default after a cold reboot. The system clock stops and does not record the passing of time during a warm reboot. As a best practice, do not configure the local clock as the reference source or configure the device as a time server.
Devices differ in clock precision. As a best practice to avoid network flapping and clock synchronization failure, configure only one reference clock on the same network segment and make sure the clock has high precision.
Prerequisites
Before you configure this feature, adjust the local system time to ensure that it is accurate.
Procedure
1. Enter system view.
system-view
2. Configure the local clock as the reference source.
ntp-service refclock-master [ ip-address ] [ stratum ]
By default, the device does not use the local clock as the reference source.
Configuring access control rights
Prerequisites
Before you configure the right for peer devices to access the NTP services on the local device, create and configure ACLs associated with the access right. For information about configuring an ACL, see Security Configuration Guide
Restrictions and guidelines
Follow the restrictions and guidelines as described in Table 2 to configure the access control rights.
Table 2 Restrictions and guidelines for configuring access control rights
|
Access control right |
Whether the time can be synchronized (whether configurable on a client) |
Whether the time of other devices can be synchronized (whether configurable on a time server) |
Whether control queries are allowed |
|
Peer |
Yes |
Yes |
Yes |
|
Server |
No |
Yes |
Yes |
|
Synchronization |
No |
Yes |
No |
|
Query |
No |
No |
Yes |
The ntp-service noquery enable command and its undo form are used only to configure the device to disallow or allow control queries and do not disable or enable clock synchronization. If the ntp-service noquery enable command or its undo form and the ntp-service acl or ntp-service ipv6 acl command are both configured, the ntp-service noquery enable command or its undo form determines whether control queries are allowed.
Procedure
1. Enter system view.
system-view
2. Configure the right for peer devices to access the NTP services on the local device.
IPv4:
ntp-service { peer | query | server | synchronization } acl { ipv4-acl-number | name ipv4-acl-name }
IPv6:
ntp-service ipv6 { peer | query | server | synchronization } acl { ipv6-acl-number | name ipv6-acl-name }
By default, the right for peer devices to access the NTP services on the local device is peer.
3. Disallow control queries for the local device.
ntp-service noquery enable
By default, control queries for the local device are allowed.
Configuring NTP authentication
Configuring NTP authentication in client/server mode
Restrictions and guidelines
To ensure a successful NTP authentication in client/server mode, configure the same authentication key ID, algorithm, and key on the server and client. Make sure the peer device is allowed to use the key ID for authentication on the local device.
NTP authentication results differ when different configurations are performed on client and server. For more information, see Table 3. (N/A in the table means that whether the configuration is performed or not does not make any difference.)
Table 3 NTP authentication results
|
Client |
Server |
||||
|
Enable NTP authentication |
Specify the server and key |
Trusted key |
Enable NTP authentication |
Trusted key |
|
|
Successful authentication |
|||||
|
Yes |
Yes |
Yes |
Yes |
Yes |
|
|
Failed authentication |
|||||
|
Yes |
Yes |
Yes |
Yes |
No |
|
|
Yes |
Yes |
Yes |
No |
N/A |
|
|
Yes |
Yes |
No |
N/A |
N/A |
|
|
Authentication not performed |
|||||
|
Yes |
No |
N/A |
N/A |
N/A |
|
|
No |
N/A |
N/A |
N/A |
N/A |
|
Configuring NTP authentication for a client
1. Enter system view.
system-view
2. Enable NTP authentication.
ntp-service authentication enable
By default, NTP authentication is disabled.
3. Configure an NTP authentication key.
ntp-service authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no NTP authentication key exists.
4. Configure the key as a trusted key.
ntp-service reliable authentication-keyid keyid
By default, no authentication key is configured as a trusted key.
5. Associate the specified key with an NTP server.
IPv4:
ntp-service unicast-server { server-name | ip-address } authentication-keyid keyid
IPv6:
ntp-service ipv6 unicast-server { server-name | ipv6-address } authentication-keyid keyid
Configuring NTP authentication for a server
1. Enter system view.
system-view
2. Enable NTP authentication.
ntp-service authentication enable
By default, NTP authentication is disabled.
3. Configure an NTP authentication key.
ntp-service authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no NTP authentication key exists.
4. Configure the key as a trusted key.
ntp-service reliable authentication-keyid keyid
By default, no authentication key is configured as a trusted key.
Configuring NTP authentication in symmetric active/passive mode
Restrictions and guidelines
To ensure a successful NTP authentication in symmetric active/passive mode, configure the same authentication key ID, algorithm, and key on the active peer and passive peer. Make sure the peer device is allowed to use the key ID for authentication on the local device.
NTP authentication results differ when different configurations are performed on active peer and passive peer. For more information, see Table 4. (N/A in the table means that whether the configuration is performed or not does not make any difference.)
Table 4 NTP authentication results
|
Active peer |
Passive peer |
||||
|
Enable NTP authentication |
Specify the peer and key |
Trusted key |
Stratum level |
Enable NTP authentication |
Trusted key |
|
Successful authentication |
|||||
|
Yes |
Yes |
Yes |
N/A |
Yes |
Yes |
|
Failed authentication |
|||||
|
Yes |
Yes |
Yes |
N/A |
Yes |
No |
|
Yes |
Yes |
Yes |
N/A |
No |
N/A |
|
Yes |
No |
N/A |
N/A |
Yes |
N/A |
|
No |
N/A |
N/A |
N/A |
Yes |
N/A |
|
Yes |
Yes |
No |
Larger than the passive peer |
N/A |
N/A |
|
Yes |
Yes |
No |
Smaller than the passive peer |
Yes |
N/A |
|
Authentication not performed |
|||||
|
Yes |
No |
N/A |
N/A |
No |
N/A |
|
No |
N/A |
N/A |
N/A |
No |
N/A |
|
Yes |
Yes |
No |
Smaller than the passive peer |
No |
N/A |
Configuring NTP authentication for an active peer
1. Enter system view.
system-view
2. Enable NTP authentication.
ntp-service authentication enable
By default, NTP authentication is disabled.
3. Configure an NTP authentication key.
ntp-service authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no NTP authentication key exists.
4. Configure the key as a trusted key.
ntp-service reliable authentication-keyid keyid
By default, no authentication key is configured as a trusted key.
5. Associate the specified key with a passive peer.
IPv4:
ntp-service unicast-peer { ip-address | peer-name } authentication-keyid keyid
IPv6:
ntp-service ipv6 unicast-peer { ipv6-address | peer-name } authentication-keyid keyid
Configuring NTP authentication for a passive peer
1. Enter system view.
system-view
2. Enable NTP authentication.
ntp-service authentication enable
By default, NTP authentication is disabled.
3. Configure an NTP authentication key.
ntp-service authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no NTP authentication key exists.
4. Configure the key as a trusted key.
ntp-service reliable authentication-keyid keyid
By default, no authentication key is configured as a trusted key.
Configuring NTP authentication in broadcast mode
Restrictions and guidelines
To ensure a successful NTP authentication in broadcast mode, configure the same authentication key ID, algorithm, and key on the broadcast server and client. Make sure the peer device is allowed to use the key ID for authentication on the local device.
NTP authentication results differ when different configurations are performed on broadcast client and server. For more information, see Table 5. (N/A in the table means that whether the configuration is performed or not does not make any difference.)
Table 5 NTP authentication results
|
Broadcast server |
Broadcast client |
|||
|
Enable NTP authentication |
Specify the server and key |
Trusted key |
Enable NTP authentication |
Trusted key |
|
Successful authentication |
||||
|
Yes |
Yes |
Yes |
Yes |
Yes |
|
Failed authentication |
||||
|
Yes |
Yes |
Yes |
Yes |
No |
|
Yes |
Yes |
Yes |
No |
N/A |
|
Yes |
Yes |
No |
Yes |
N/A |
|
Yes |
No |
N/A |
Yes |
N/A |
|
No |
N/A |
N/A |
Yes |
N/A |
|
Authentication not performed |
||||
|
Yes |
Yes |
No |
No |
N/A |
|
Yes |
No |
N/A |
No |
N/A |
|
No |
N/A |
N/A |
No |
N/A |
Configuring NTP authentication for a broadcast client
1. Enter system view.
system-view
2. Enable NTP authentication.
ntp-service authentication enable
By default, NTP authentication is disabled.
3. Configure an NTP authentication key.
ntp-service authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no NTP authentication key exists.
4. Configure the key as a trusted key.
ntp-service reliable authentication-keyid keyid
By default, no authentication key is configured as a trusted key.
Configuring NTP authentication for a broadcast server
1. Enter system view.
system-view
2. Enable NTP authentication.
ntp-service authentication enable
By default, NTP authentication is disabled.
3. Configure an NTP authentication key.
ntp-service authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no NTP authentication key exists.
4. Configure the key as a trusted key.
ntp-service reliable authentication-keyid keyid
By default, no authentication key is configured as a trusted key.
5. Enter interface view.
interface interface-type interface-number
6. Associate the specified key with the broadcast server.
ntp-service broadcast-server authentication-keyid keyid
By default, the broadcast server is not associated with a key.
Configuring NTP authentication in multicast mode
Restrictions and guidelines
To ensure a successful NTP authentication in multicast mode, configure the same authentication key ID, algorithm, and key on the multicast server and client. Make sure the peer device is allowed to use the key ID for authentication on the local device.
NTP authentication results differ when different configurations are performed on broadcast client and server. For more information, see Table 6. (N/A in the table means that whether the configuration is performed or not does not make any difference.)
Table 6 NTP authentication results
|
Multicast server |
Multicast client |
|||
|
Enable NTP authentication |
Specify the server and key |
Trusted key |
Enable NTP authentication |
Trusted key |
|
Successful authentication |
||||
|
Yes |
Yes |
Yes |
Yes |
Yes |
|
Failed authentication |
||||
|
Yes |
Yes |
Yes |
Yes |
No |
|
Yes |
Yes |
Yes |
No |
N/A |
|
Yes |
Yes |
No |
Yes |
N/A |
|
Yes |
No |
N/A |
Yes |
N/A |
|
No |
N/A |
N/A |
Yes |
N/A |
|
Authentication not performed |
||||
|
Yes |
Yes |
No |
No |
N/A |
|
Yes |
No |
N/A |
No |
N/A |
|
No |
N/A |
N/A |
No |
N/A |
Configuring NTP authentication for a multicast client
1. Enter system view.
system-view
2. Enable NTP authentication.
ntp-service authentication enable
By default, NTP authentication is disabled.
3. Configure an NTP authentication key.
ntp-service authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no NTP authentication key exists.
4. Configure the key as a trusted key.
ntp-service reliable authentication-keyid keyid
By default, no authentication key is configured as a trusted key.
Configuring NTP authentication for a multicast server
1. Enter system view.
system-view
2. Enable NTP authentication.
ntp-service authentication enable
By default, NTP authentication is disabled.
3. Configure an NTP authentication key.
ntp-service authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no NTP authentication key exists.
4. Configure the key as a trusted key.
ntp-service reliable authentication-keyid keyid
By default, no authentication key is configured as a trusted key.
5. Enter interface view.
interface interface-type interface-number
6. Associate the specified key with a multicast server.
IPv4:
ntp-service multicast-server [ ip-address ] authentication-keyid keyid
IPv6:
ntp-service ipv6 multicast-server ipv6-multicast-address authentication-keyid keyid
By default, no multicast server is associated with the specified key.
Controlling NTP packet sending and receiving
Specifying the source address for NTP messages
About this task
You can specify the source IP address for NTP messages directly or by specifying a source interface. If you specify a source interface for NTP messages, the address of the specified source interface will be the source address of NTP messages.
Restrictions and guidelines
To prevent interface status changes from causing NTP communication failures, configure the device to use the IP address of an interface that is always up. For example, you can configure the device to use a loopback interface as the source IP address for the NTP messages.
When the device responds to an NTP request, the source IP address of the NTP response is always the IP address of the interface that has received the NTP request.
If you have specified the source interface for NTP messages in the ntp-service unicast-server/ntp-service ipv6 unicast-server or ntp-service unicast-peer/ntp-service ipv6 unicast-peer command, this interface is used as the source interface for NTP messages.
If you have configured the ntp-service broadcast-server or ntp-service multicast-server/ntp-service ipv6 multicast-server command on an interface, this interface is used as the source interface for broadcast or multicast NTP messages.
Procedure
1. Enter system view.
system-view
2. Specify the source address for NTP packets.
IPv4:
ntp-service source { interface-type interface-number | ipv4-address }
IPv6:
ntp-service ipv6 source interface-type interface-number
By default, no source address is specified for NTP messages.
Disabling an interface from receiving NTP messages
About this task
When NTP is enabled, all interfaces by default can receive NTP messages. For security purposes, you can disable some of the interfaces from receiving NTP messages.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Disable the interface from receiving NTP packets.
IPv4:
undo ntp-service inbound enable
IPv6:
undo ntp-service ipv6 inbound enable
By default, an interface receives NTP messages.
Configuring the maximum number of dynamic associations
About this task
Perform this task to restrict the number of dynamic associations to prevent dynamic associations from occupying too many system resources.
NTP has the following types of associations:
· Static association—A manually created association.
· Dynamic association—Temporary association created by the system during NTP operation. A dynamic association is removed if no messages are exchanged within about 12 minutes.
The following describes how an association is established in different association modes:
· Client/server mode—After you specify an NTP server, the system creates a static association on the client. The server simply responds passively upon the receipt of a message, rather than creating an association (static or dynamic).
· Symmetric active/passive mode—After you specify a symmetric passive peer on a symmetric active peer, static associations are created on the symmetric active peer, and dynamic associations are created on the symmetric passive peer.
· Broadcast or multicast mode—Static associations are created on the server, and dynamic associations are created on the client.
Restrictions and guidelines
A single device can have a maximum of 128 concurrent associations, including static associations and dynamic associations.
The ntp-service max-dynamic-sessions command does not affect existing NTP associations. After this command is configured, new associations will not be established if the maximum number of associations has been reached or exceeded.
Procedure
1. Enter system view.
system-view
2. Configure the maximum number of dynamic sessions.
ntp-service max-dynamic-sessions number
By default, the maximum number of dynamic sessions is 100.
Setting a DSCP value for NTP packets
About this task
The DSCP value determines the sending precedence of an NTP packet.
Procedure
1. Enter system view.
system-view
2. Set a DSCP value for NTP packets.
IPv4:
ntp-service dscp dscp-value
IPv6:
ntp-service ipv6 dscp dscp-value
The default DSCP value is 48 for IPv4 packets and 56 for IPv6 packets.
Controlling NTP time synchronization
About this task
Application scenarios
This feature controls whether the device synchronizes the time with an NTP server when it acts as an NTP client.
Operating mechanism
When the device acts as an NTP client, it subtracts the local time from the time provided by the NTP server to calculate the time offset. The device will adjust the local NTP time based on this offset. If this offset exceeds the configured maximum offset, the device will determine that the time from the NTP server is unreliable and will not synchronize the time from the NTP server.
Procedure
1. Enter system view.
system-view
2. Set the maximum allowed time offset for NTP synchronization.
ntp-service time-offset-limit limit-threshold
By default, no maximum allowed time offset for NTP synchronization is configured
Specifying the NTP time-offset thresholds for log and trap outputs
About this task
Application scenarios
This task monitors whether the time provided by the NTP server is within the normal range. If it exceeds the specified range, logs and notification messages are generated to alert the administrator to check whether the NTP server is normal.
Operating mechanism
The device periodically subtracts the local time of the NTP client from the time provided by the NTP server to obtain a time offset. This time offset should remain stable within a small range of changes.
· If the calculated time offset exceeds the NTP time offset threshold for log output, the NTP module will automatically generate a log to alert the administrator that the time provided by the NTP server might be abnormal.
· If the calculated time offset of the device exceeds the NTP time offset threshold for trap output, the NTP module will automatically generate a notification to alert the administrator that the time provided by the NTP server might be abnormal.
Prerequisites
Logs triggered by this task will be sent to the device's information center module. You can configure information center module parameters for the logs to be output as desired. For more information about the information center module parameters, see information center configuration in System Management Configuration Guide.
Notifications triggered by this task will be sent to the device's SNMP module. You can configure SNMP notification output parameters for the notifications to be output as desired. For more information about SNMP notifications, see SNMP configuration in Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Specify the NTP time-offset thresholds for log and trap outputs.
ntp-service time-offset-threshold { log log-threshold | trap trap-threshold } *
By default, no NTP time-offset thresholds are set for log and trap outputs.
Verifying and maintaining NTP
Verifying NTP service status
To display information about NTP service status, execute the following command in any view.
display ntp-service status
Displaying session information about the NTP service
Perform display tasks in any view.
display ntp-service sessions [ verbose ]
display ntp-service ipv6 sessions [ verbose ]
Displaying brief information about the NTP servers from the local device back to the primary NTP server
To display brief information about the NTP servers from the local device back to the primary NTP server, execute the following command in any view.
display ntp-service trace [ source interface-type interface-number ]
The ntp-service noquery enable command is mutually exclusive with the display ntp-service trace command. To use the display ntp-service trace command, you must configure the device to allow control queries.
NTP configuration examples (on ACs)
Example: Configuring NTP client/server association mode
Network configuration
As shown in Figure 8, perform the following tasks:
· Configure the AC's local clock as its reference source, with stratum level 2.
· Configure the switch to operate in client mode and specify the AC as the NTP server of the switch.
Procedure
1. Assign an IP address to each interface, and make sure the AC and the switch can reach each other, as shown in Figure 8. (Details not shown.)
2. Configure the AC:
# Enable the NTP service.
<AC> system-view
[AC] ntp-service enable
# Specify the local clock as the reference source, with stratum level 2.
[AC] ntp-service refclock-master 2
3. Configure the switch:
# Enable the NTP service.
<Switch> system-view
[Switch] ntp-service enable
# Specify NTP for obtaining the system time.
[Switch] clock protocol ntp
# Specify the AC as the NTP server of the switch.
[Switch] ntp-service unicast-server 1.0.1.11
4. Verify the configuration:
# Verify that the switch has synchronized its time with the AC, and the clock stratum level of the switch is 3.
[Switch] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 1.0.1.11
Local mode: client
Reference clock ID: 1.0.1.11
Leap indicator: 00
Clock jitter: 0.000977 s
Stability: 0.000 pps
Clock precision: 2^-23
Root delay: 0.00383 ms
Root dispersion: 16.26572 ms
Reference time: d0c6033f.b9923965 Wed, Dec 29 2010 18:58:07.724
# Verify that an IPv4 NTP association has been established between the switch and the AC.
[Switch] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[12345]1.0.1.11 127.127.1.0 2 1 64 15 -4.0 0.0038 16.262
Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured.
Total sessions: 1
Example: Configuring IPv6 NTP client/server association mode
Network configuration
As shown in Figure 9, perform the following tasks:
· Configure the AC's local clock as its reference source, with stratum level 2.
· Configure the switch to operate in client mode and specify the AC as the IPv6 NTP server of the switch.
Procedure
1. Assign an IP address to each interface, and make sure the AC and the switch can reach each other, as shown in Figure 9. (Details not shown.)
2. Configure the AC:
# Enable the NTP service.
<AC> system-view
[AC] ntp-service enable
# Specify the local clock as the reference source, with stratum level 2.
[AC] ntp-service refclock-master 2
3. Configure the switch:
# Enable the NTP service.
<Switch> system-view
[Switch] ntp-service enable
# Specify NTP for obtaining the system time.
[Switch] clock protocol ntp
# Specify the AC as the IPv6 NTP server of the switch.
[Switch] ntp-service ipv6 unicast-server 3000::34
4. Verify the configuration:
# Verify that the switch has synchronized its time with the AC, and the clock stratum level of the switch is 3.
[Switch] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 3000::34
Local mode: client
Reference clock ID: 163.29.247.19
Leap indicator: 00
Clock jitter: 0.000977 s
Stability: 0.000 pps
Clock precision: 2^-23
Root delay: 0.02649 ms
Root dispersion: 12.24641 ms
Reference time: d0c60419.9952fb3e Wed, Dec 29 2010 19:01:45.598
# Verify that an IPv6 NTP association has been established between the switch and the AC.
[Switch] display ntp-service ipv6 sessions
Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured.
Source: [12345]3000::34
Reference: 127.127.1.0 Clock stratum: 2
Reachabilities: 15 Poll interval: 64
Last receive time: 19 Offset: 0.0
Roundtrip delay: 0.0 Dispersion: 0.0
Total sessions: 1
Example: Configuring NTP symmetric active/passive association mode
Network configuration
As shown in Figure 10, perform the following tasks:
· Configure the AC's local clock as its reference source, with stratum level 2.
· Configure the AC to operate in symmetric-active mode and specify the switch as the passive peer of the AC.
Procedure
1. Assign an IP address to each interface, and make sure the AC and the switch can reach each other, as shown in Figure 10. (Details not shown.)
2. Configure the switch:
# Enable the NTP service.
<Switch> system-view
[Switch] ntp-service enable
# Specify NTP for obtaining the system time.
[Switch] clock protocol ntp
3. Configure the AC:
# Enable the NTP service.
<AC> system-view
[AC] ntp-service enable
# Specify NTP for obtaining the system time.
[AC] clock protocol ntp
# Specify the local clock as the reference source, with stratum level 2.
[AC] ntp-service refclock-master 2
# Configure the switch as the symmetric passive peer.
[AC] ntp-service unicast-peer 3.0.1.32
4. Verify the configuration:
# Verify that the switch has synchronized its time with the AC and the clock stratum level of the switch is 3.
[Switch] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 3.0.1.31
Local mode: sym_passive
Reference clock ID: 3.0.1.31
Leap indicator: 00
Clock jitter: 0.000916 s
Stability: 0.000 pps
Clock precision: 2^-23
Root delay: 0.00609 ms
Root dispersion: 1.95859 ms
Reference time: 83aec681.deb6d3e5 Wed, Jan 8 2014 14:33:11.081
# Verify that an IPv4 NTP association has been established between the switch and the AC.
[Switch] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[12]3.0.1.31 127.127.1.0 2 62 64 34 0.4251 6.0882 1392.1
Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured.
Total sessions: 1
Example: Configuring IPv6 NTP symmetric active/passive association mode
Network configuration
As shown in Figure 11:
· Configure AC's local clock as its reference source, with stratum level 2.
· Configure the AC to operate in symmetric-active mode and specify the switch as the IPv6 passive peer of the AC.
Procedure
1. Assign an IP address to each interface, and make sure the AC and the switch can reach each other, as shown in Figure 11. (Details not shown.)
2. Configure the switch:
# Enable the NTP service.
<Switch> system-view
[Switch] ntp-service enable
# Specify NTP for obtaining the system time.
[Switch] clock protocol ntp
3. Configure the AC:
# Enable the NTP service.
<AC> system-view
[AC] ntp-service enable
# Specify NTP for obtaining the system time.
[AC] clock protocol ntp
# Specify the local clock as the reference source, with stratum level 2.
[AC] ntp-service refclock-master 2
# Configure the switch as the IPv6 symmetric passive peer.
[AC] ntp-service ipv6 unicast-peer 3000::36
4. Verify the configuration:
# Verify that the switch has synchronized its time with the AC and the clock stratum level of the switch is 3.
[Switch] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 3000::35
Local mode: sym_passive
Reference clock ID: 251.73.79.32
Leap indicator: 11
Clock jitter: 0.000977 s
Stability: 0.000 pps
Clock precision: 2^-23
Root delay: 0.01855 ms
Root dispersion: 9.23483 ms
Reference time: d0c6047c.97199f9f Wed, Dec 29 2010 19:03:24.590
# Verify that an IPv6 NTP association has been established between the switch and the AC.
[Switch] display ntp-service ipv6 sessions
Notes: 1 source(master), 2 source(peer), 3 selected, 4 candidate, 5 configured.
Source: [1234]3000::35
Reference: 127.127.1.0 Clock stratum: 2
Reachabilities: 15 Poll interval: 64
Last receive time: 19 Offset: 0.0
Roundtrip delay: 0.0 Dispersion: 0.0
Total sessions: 1
Example: Configuring authenticated NTP in client/server association mode
Network configuration
As shown in Figure 12, perform the following tasks:
· Configure AC's local clock as its reference source, with stratum level 2.
· Configure the switch to operate in client mode and specify the AC as the NTP server of the switch.
· Configure NTP authentication on both the AC and the switch.
Procedure
1. Assign an IP address to each interface, and make sure the AC and the switch can reach each other, as shown in Figure 12. (Details not shown.)
2. Configure the AC:
# Enable the NTP service.
<AC> system-view
[AC] ntp-service enable
# Specify the local clock as the reference source, with stratum level 2.
[AC] ntp-service refclock-master 2
3. Configure the switch:
# Enable the NTP service.
<Switch> system-view
[Switch] ntp-service enable
# Specify NTP for obtaining the system time.
[Switch] clock protocol ntp
# Enable NTP authentication on the switch.
[Switch] ntp-service authentication enable
# Create authentication key 42 and set the key value to aNiceKey in plain text.
[Switch] ntp-service authentication-keyid 42 authentication-mode md5 simple aNiceKey
# Specify key 42 as a trusted key.
[Switch] ntp-service reliable authentication-keyid 42
# Specify the AC as the NTP server of the switch, and associate the server with key 42.
[Switch] ntp-service unicast-server 1.0.1.11 authentication-keyid 42
To enable the switch to synchronize its clock with the AC, enable NTP authentication on the AC.
4. Configure NTP authentication on the AC:
# Enable NTP authentication.
[AC] ntp-service authentication enable
# Create authentication key 42 and set the key value to aNiceKey in plain text.
[AC] ntp-service authentication-keyid 42 authentication-mode md5 simple aNiceKey
# Specify key 42 as a trusted key.
[AC] ntp-service reliable authentication-keyid 42
5. Verify the configuration:
# Verify that the switch has synchronized its time with the AC, and the clock stratum level of the switch is 3.
[Switch] display ntp-service status
Clock status: synchronized
Clock stratum: 3
System peer: 1.0.1.11
Local mode: client
Reference clock ID: 1.0.1.11
Leap indicator: 00
Clock jitter: 0.005096 s
Stability: 0.000 pps
Clock precision: 2^-23
Root delay: 0.00655 ms
Root dispersion: 1.15869 ms
Reference time: d0c62687.ab1bba7d Wed, Dec 29 2010 21:28:39.668
# Verify that an IPv4 NTP association has been established between the switch and the AC.
[Switch] display ntp-service sessions
source reference stra reach poll now offset delay disper
********************************************************************************
[1245]1.0.1.11 127.127.1.0 2 1 64 519 -0.0 0.0065 0.0
Notes: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured.
Total sessions: 1
Configuring SNTP
About SNTP
SNTP is a simplified, client-only version of NTP specified in RFC 4330. It uses the same packet format and packet exchange procedure as NTP, but provides faster synchronization at the price of time accuracy.
Relationship between SNTP and NTP
The relationship between SNTP and NTP is as follows:
· Purpose—Both SNTP and NTP aim to synchronize the time of computer systems.
· Protocol family—SNTP is a subset of NTP and uses the same protocol family as NTP. SNTP uses the NTP message format.
· Simplified version—NTP provides additional features to enhance time synchronization accuracy, such as complex error detection and correction algorithms, dynamic server selection, load balancing, and control protocols. SNTP typically does not provide these complex features.
· Precision—NTP is designed to provide high-precision time synchronization on the network, typically at the millisecond level and even capable of reaching sub-millisecond levels. SNTP is suitable for scenarios where precision requirements are lower.
· Compatibility—In most cases, SNTP and NTP are compatible, because they use the same PDU format. This design allows interoperability between SNTP clients and NTP servers, and between NTP clients and SNTP servers.
· Application scenarios—SNTP, being a simplified version of NTP, is ideal for resource-constrained devices such as home routers and IP cameras, as well as applications where strict time accuracy is not critical. On the other hand, NTP is designed for use in scenarios demanding highly precise time synchronization, such as financial transaction systems, scientific research, and advanced network infrastructure.
SNTP operating mechanism
SNTP performs basic time synchronization by using some fields in NTP messages. It uses the same message exchange process as NTP but processes the received time information in a more simplified way, reducing complexity and resource requirements. The following is a typical SNTP time synchronization message exchange process:
1. The SNTP client generates an NTP message, sets the mode to client (mode 3), pads the original timestamp, and then sends it to the server.
2. Upon receiving the message, the NTP/SNTP server adds or updates the receive timestamp and transmit timestamp, sets the message mode to server (mode 4), and sends it back to the client as a response.
3. After receiving the response, the SNTP client logs the time when the response was received, extracts the transmission timestamp from the response, and adjusts the clock as needed.
Figure 13 SNTP operating mechanism
SNTP working mode
SNTP supports only the client/server mode. An SNTP-enabled device can receive time from NTP servers, but cannot provide time services to other devices.
If you specify multiple NTP servers for an SNTP client, the server with the best stratum is selected. If multiple servers are at the same stratum, the NTP server whose time packet is first received is selected.
Protocols and standards
RFC 4330, Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI
Restrictions and guidelines: SNTP configuration
You cannot configure both NTP and SNTP on the same device. NTP and SNTP communicate using UDP port 123. If another service module uses this port, the device will fail to enable NTP and SNTP. If you enable NTP or SNTP, other service modules cannot use port 123.
Client/server mode tasks at a glance
Tasks on the client
2. Configuring SNTP in client/server mode
The device can operate in client/server mode and broadcast mode simultaneously. If the device acts as a client and receives multiple NTP clock signals at the same time, it will select the optimal NTP clock for synchronization.
¡ Specifying an NTP server for the device
¡ (Optional.) Configuring SNTP authentication in client/server mode
3. (Optional.) Specifying the SNTP time-offset thresholds for log and trap outputs
Tasks on the server
2. (Optional.) Configuring SNTP authentication in client/server mode
Broadcast mode tasks at a glance
Tasks on the client
2. Configuring SNTP in broadcast mode
The device can operate in client/server mode and broadcast mode simultaneously. If the device acts as a client and receives multiple NTP clock signals at the same time, it will select the optimal NTP clock for synchronization.
¡ Configuring the SNTP broadcast client
¡ (Optional.) Configuring SNTP authentication in broadcast mode
3. (Optional.) Specifying the SNTP time-offset thresholds for log and trap outputs
|
|
NOTE: You can deploy an NTP broadcast server in the network to act as an SNTP broadcast server. This enables SNTP time synchronization in broadcast mode. |
Enabling the SNTP service
Restrictions and guidelines
The NTP service and SNTP service are mutually exclusive. Before you enable SNTP, make sure NTP is disabled.
Procedure
1. Enter system view.
system-view
2. Enable the SNTP service.
sntp enable
By default, the SNTP service is disabled.
Configuring SNTP in client/server mode
Specifying an NTP server for the device
About this task
In SNTP client/server mode, the device only supports acting as a client to synchronize the clock with the NTP server.
Restrictions and guidelines
To use an NTP server as the time source, make sure its clock has been synchronized. If the stratum level of the NTP server is greater than or equal to that of the client, the client does not synchronize with the NTP server.
Procedure
1. Enter system view.
system-view
2. Specify an NTP server for the device.
IPv4:
sntp unicast-server { server-name | ip-address } [ authentication-keyid keyid | source interface-type interface-number | version number ] *
IPv6:
sntp ipv6 unicast-server { server-name | ipv6-address } [ authentication-keyid keyid | source interface-type interface-number ] *
By default, no NTP server is specified for the device.
You can specify multiple NTP servers for the client by repeating this step.
To perform authentication, you need to specify the authentication-keyid keyid option.
Configuring SNTP authentication in client/server mode
About this task
SNTP authentication ensures that an SNTP client is synchronized only to an authenticated trustworthy NTP server.
Restrictions and guidelines
Enable authentication on both the NTP server and the SNTP client.
Use the same authentication key ID, algorithm, and key on the NTP server and SNTP client. Specify the key as a trusted key on both the NTP server and the SNTP client. For information about configuring NTP authentication on an NTP server, see "Configuring NTP."
On the SNTP client, associate the specified key with the NTP server. Make sure the server is allowed to use the key ID for authentication on the client.
With authentication disabled, the SNTP client can synchronize with the NTP server regardless of whether the NTP server is enabled with authentication.
Configuring SNTP authentication on the client
1. Enter system view.
system-view
2. Enable SNTP authentication.
sntp authentication enable
By default, SNTP authentication is disabled.
3. Configure an SNTP authentication key.
sntp authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no SNTP authentication key exists.
4. Specify the key as a trusted key.
sntp reliable authentication-keyid keyid
By default, no trusted key is specified.
5. Associate the SNTP authentication key with an NTP server.
IPv4:
sntp unicast-server { server-name | ip-address } authentication-keyid keyid
IPv6:
sntp ipv6 unicast-server { server-name | ipv6-address } authentication-keyid keyid
By default, no NTP server is specified.
Configuring SNTP authentication on the server
1. Enter system view.
system-view
2. Enable SNTP authentication.
sntp authentication enable
By default, SNTP authentication is disabled.
3. Configure an SNTP authentication key.
sntp authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no SNTP authentication key exists.
4. Specify the key as a trusted key.
sntp reliable authentication-keyid keyid
By default, no trusted key is specified.
Configuring SNTP in broadcast mode
Configuring the SNTP broadcast client
About this task
In SNTP broadcast mode, the device supports only operating as an SNTP broadcast client to synchronize the clock with the NTP broadcast server.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the device to operate in SNTP broadcast client mode.
sntp broadcast-client
By default, the device does not operate in any SNTP association mode.
After you execute the command, the device receives NTP broadcast messages from the specified interface.
Configuring SNTP authentication in broadcast mode
About this task
In some networks where time synchronization security is required, you need to enable authentication when SNTP is used. SNTP authentication ensures that the client synchronizes time only with the authenticated server, which improves network security.
Restrictions and guidelines
· You must enable authentication on both the NTP broadcast server and SNTP broadcast client.
· You must configure the same authentication key (including key ID, authentication algorithm, and key value) for the NTP broadcast server and SNTP broadcast client and set the key as a trusted key. For information about configuring authentication on an NTP broadcast server, see "Configuring NTP authentication in broadcast mode."
· If SNTP authentication is not successfully enabled on the client, the client can synchronize with the server regardless of whether authentication is enabled on the server.
Procedure
1. Enter system view.
system-view
2. Enable SNTP authentication.
sntp authentication enable
By default, SNTP authentication is disabled.
3. Configure an SNTP authentication key.
sntp authentication-keyid keyid authentication-mode { hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5 } { cipher | simple } string [ acl ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
By default, no SNTP authentication key exists.
4. Configure the key as a trusted key.
sntp reliable authentication-keyid keyid
By default, no authentication key is configured as a trusted key.
Specifying the SNTP time-offset thresholds for log and trap outputs
About this task
By default, the SNTP client synchronizes the time with the server and outputs a log and a trap when the time offset between the client and server exceeds 128 ms for multiple times.
After you set the SNTP time-offset thresholds for log and trap outputs, the SNTP client synchronizes the time with the server when the time offset exceeds 128 ms for multiple times, but outputs a log or trap only when the time offset exceeds the specified threshold.
Procedure
1. Enter system view.
system-view
2. Specify the SNTP time-offset thresholds for log and trap outputs.
sntp time-offset-threshold { log log-threshold | trap trap-threshold } *
By default, no SNTP time-offset thresholds are set for log and trap outputs.
Verifying and maintaining SNTP
Perform display tasks in any view.
· Display information about all IPv6 SNTP associations.
display sntp ipv6 sessions
· Display information about all IPv4 SNTP associations.
display sntp sessions
SNTP configuration examples
Example: Configuring SNTP
Network configuration
As shown in Figure 14:
· Configure AC's local clock of the AC as its reference source, with stratum level 2.
· Configure the switch to operate in SNTP client mode, and specify the AC as the NTP server.
· Configure NTP authentication on the AC and SNTP authentication on the switch.
Procedure
1. Assign an IP address to each interface, and make sure the AC and the switch can reach each other, as shown in Figure 14. (Details not shown.)
2. Configure the AC:
# Enable the NTP service.
<AC> system-view
[AC] ntp-service enable
# Specify NTP for obtaining the system time.
[AC] clock protocol ntp
# Configure the local clock as the reference source, with stratum level 2.
[AC] ntp-service refclock-master 2
# Enable NTP authentication on the AC.
[AC] ntp-service authentication enable
# Create authentication key 10 and set the key value to aNiceKey, in plain text.
[AC] ntp-service authentication-keyid 10 authentication-mode md5 simple aNiceKey
# Specify key 10 as a trusted key.
[AC] ntp-service reliable authentication-keyid 10
3. Configure the switch:
# Enable the SNTP service.
<Switch> system-view
[Switch] sntp enable
# Specify NTP for obtaining the system time.
[Switch] clock protocol ntp
# Enable SNTP authentication on the switch.
[Switch] sntp authentication enable
# Create authentication key 10 and set the key value to aNiceKey, in plain text.
[Switch] sntp authentication-keyid 10 authentication-mode md5 simple aNiceKey
# Specify key 10 as a trusted key.
[Switch] sntp reliable authentication-keyid 10
# Specify the AC as the NTP server of the switch, and associate the server with key 10.
[Switch] sntp unicast-server 1.0.1.11 authentication-keyid 10
4. Verify the configuration:
# Verify that an SNTP association has been established between the switch and the AC, and the switch has synchronized to the AC.
[Switch] display sntp sessions
NTP server Stratum Version Last receive time
1.0.1.11 2 4 Tue, May 17 2011 9:11:20.833 (Synced)