Professional Documents
Culture Documents
01-13 NTP Configuration
01-13 NTP Configuration
Ethernet Switches
Configuration Guide - Device Management 13 NTP Configuration
13 NTP Configuration
Definition
Network Time Protocol (NTP) is an application layer protocol belonging to the
Transmission Control Protocol/Internet Protocol (TCP/IP) suite. NTP synchronizes
time between time servers and clients. NTP implementation is based on Internet
Protocol (IP) and User Datagram Protocol (UDP). NTP transmission occurs through
UDP port 123.
Purpose
As network topologies become increasingly complex, clock synchronization
becomes more important for all devices within a network. Manual configuration
of system clocks by network administrators is both labor-intensive and error-
prone, potentially affecting clock precision. NTP operates as a network protocol
which synchronizes the clocks of devices within a network.
NTP is applied when all devices on a network require consistency between their
clocks, such as in the following situations:
● When in network management, routers require timestamps on analysis logs
and debugging messages collected from different routers.
● When an accounting system requires that all device clocks be consistent.
● When multiple systems must reference the same clock when operating
together to process complicated events.
● When performing incremental backup, a backup server and clients require
synchronization between clocks.
● When certain applications require access to user login or file modification
times.
NOTE
Switch can function as both the NTP server and NTP client.
Version Evolution
NTP evolved from a simple time protocol using the ICMP Timestamp message.
NTP has grown in complexity, now maintaining time synchronization with
improved security and reliability. Table 13-1 lists the NTP versions and their
updates.
clocks of the NTP client and server are precise, the time difference can be
calculated using the following formulas:
1. Calculate the time (Delay) taken sending an NTP packet from the client to
server using the following formula:
Delay = [(T4 - T1) - (T3 – T2)]/2
2. Calculate the time difference (Offset) between the clocks of client and server.
At T4, for example, the server clock is T3 + Delay. The Offset is calculated
using the following formula:
T4 + Offset = T3 + Delay
To calculate Offset, the above formula can be converted algebraically as
follows:
Offset = T3 + Delay - T4
Entering example values, the final formula is as follows:
T3 + [(T4 - T1) - (T3 - T2)]/2 – T4 = [(T2 - T1) + (T3 – T4)]/2
The NTP client clock will be adjusted based on the Offset. This synchronizes the
NTP client clock with the server.
NOTE
Clocks in the preceding description are precise. However, this cannot be assumed of all
client and server clocks, as clocks may differ. RFC 1305 defines complex algorithms,
allowing NTP to ensure the precision of clock synchronization.
● Synchronization subnet
Consists of the primary time server, secondary time servers, PC clients, and
interconnecting transmission paths displayed in Figure 13-2.
NOTE
When the synchronization subnet has multiple primary time servers, the optimal server is
selected.
● Client
Hosts running in client mode will periodically send packets to the server. The
Mode field of the packets has a value of 3. This indicates that the packets are
being sent by a client. Upon receiving a reply packet, the client filters clock
signals. It then selects usable clock signals, and synchronizes its clock with the
server providing the optimal clock. A client will not verify the reachability and
stratum of the server. Typically, a host running in client mode is a workstation
within a network. Clock synchronization is performed between the client and
the server but the server clock is not altered.
● Server
Hosts running in server mode receive packets from clients and then reply to
these packets. The Mode field in reply packets has a value of 4. This indicates
that the packets are being sent from a server. Typically, a host running in
server mode is a clock server within a network. Server mode hosts provide
synchronization information for clients but do not alter their own clocks.
During and after a restart, a host operating in client mode will periodically send
NTP request messages to the host operating in server mode. Following receipt of
an NTP request message, the server will:
● Swap the position of destination IP address and source IP address.
● Swap the position of source port number and destination port number.
● Fill in the necessary information.
● Send the message to the client.
It is not required that the server retains state information. The client will freely
adjust the interval for sending NTP request messages according to local
conditions.
Peer Mode
In peer mode, active and passive peers perform the following functions:
● Active peer
A host that functions as an active peer will periodically send packets. The
value of the Mode field in a packet has a value of 1. This indicates that the
packet was sent by an active peer, without consideration for whether peers
are reachable and stratum of peers. Active peers can provide time information
about the local clock to peers. They may also synchronize time information of
the local clock based on that of the peer clock.
● Passive peer
A host that functions as a passive peer will receive packets from the active
peer and send reply packets. The value of the Mode field in a reply packet has
a value of 2. This indicates that the packet was sent by a passive peer. Passive
peers can provide time information about the local clock to peers. They may
also synchronize time information of the local clock based on that of the peer
clock.
The peer mode operates on a lower stratum within a synchronous subnet. In peer
mode, an active peer and a passive peer can synchronize with each other. The peer
with the higher stratum (a lower level) synchronizes with the peer with a lower
stratum (a higher level).
Before devices enter the peer mode, the following occurs:
1. Active peers in this mode send NTP packets. The Mode field will have a value
of 3 (the client mode).
2. Passive peers respond with NTP packets. The Mode field will have a value of 4
(the server mode).
This interaction will create a network delay, allowing devices at both ends to enter
the peer mode.
NOTE
The passive peer does not require configuration. A host establishes a connection and sets
relevant state variables only after receiving an NTP packet.
Broadcast Mode
Broadcast mode is applied to a high-speed network that has multiple
workstations, but only when the network does not require high precision. In
typical scenarios, one or more clock servers on a network will periodically send
broadcast packets to the workstations. The delay of packet transmission within a
LAN is measured at the millisecond level. In broadcast mode, clients and servers
perform the following functions:
● Broadcast server
A host running in broadcast mode will send clock synchronization packets to
the broadcast address 255.255.255.255 (full broadcast mode) or the broadcast
address of the network segment to which the interface IP address belongs
(subnet broadcast mode) periodically. The Mode field in a packet has a value
of 5. This indicates that the packet was sent by a host running in broadcast or
multicast mode, without considering whether peers are reachable and on
which stratum the peers are located. Hosts running in broadcast mode are
typically clock servers running high-speed broadcast media over networks.
They provide synchronization information to all peers, but do not alter their
own clocks.
● Broadcast client
Clients process clock synchronization packets received from the server. When
the first clock synchronization packet is received by the client, the client and
server exchange NTP packets with Mode fields which have a value of 3 (sent
by the client). They will also exchange NTP packets with Mode fields which
have a value of 4 (sent by the server). During this process, the client enables
server/client mode for a short time, allowing information exchange with the
remote server. This allows the client to determine the network delay between
client and server. Following this, the client returns to broadcast mode,
resuming analysis of incoming clock synchronization packets and
synchronizing the local clock.
Multicast Mode
Multicast mode is used when a significant number of clients are distributed
throughout a network. This normally results in large number of NTP packets in the
network. In multicast mode, a single NTP multicast packet can potentially reach
all the clients on the network and reduce the control traffic on the network.
Manycast Mode
Manycast mode is applied when a small set of servers are scattered throughout a
network. Clients are able to discover and then synchronize with the closest
manycast server. Manycast is especially useful when the server frequently changes,
which will cause reconfigurations of all clients within the network.
● Manycast server
The manycast server continuously analyzes incoming packets. If server
synchronization is possible, the server will return a packet with the Mode field
set to 4 using the unicast address of the client as the destination address.
● Manycast client
The manycast client periodically sends request packets with the Mode field set
to 3 to an IPv4/IPv6 multicast address. After receiving a reply packet, the
client filters and selects clock signals, and then synchronizes its clock with the
server which provides the optimal clock.
To prevent the client from constantly sending NTP request packets to the
manycast server, which causes excessive resource consumption, the NTP protocol
defines a minimum number of connections. In manycast mode, the client records
the number of connections established every time it synchronizes clock with the
server. The minimum number of connections is the minimum number of
connections used during a synchronization process. If the number of connections
used by the client reaches the minimum number during subsequent
synchronization processes and the synchronization has finished, the client
considers synchronization to be completed. The client sends a packet every time a
timeout period expires to maintain the connection. The NTP protocol uses the
time to live (TTL) to ensure successful time synchronization with the server. The
TTL process follows these steps:
1. When the client sends an NTP packet, the TTL of the packet increases from
the initial value of 1.
NOTE
Access Authority
To protect local clocks, devices provide access authority, which is both simple and
secure.
NTP access control is implemented based on an access control list (ACL). NTP
supports up to five levels of access authority. An ACL rule may be specified for
each level of access authority. If an NTP access request matches an ACL rule, a
match occurs and the device requesting access is given access authority on that
level.
When NTP access requests reach the local end, assuming the access request was
successfully matched with an ACL, access authority is matched from the maximum
to minimum. The first successfully matched access authority takes effect. This
matching order and the access rights of each are as follows:
1. Peer: This indicates that a time request may be made and a control query
may be performed on the local clock. The local clock can also be synchronized
to a remote server.
2. Server: This indicates that a time request may be made and a control query
may be performed on the local clock. The local clock cannot be synchronized
with the clock of a remote server.
3. Synchronization: This indicates that time requests may be made of the local
clock.
4. Query: This indicates that control queries may be performed on the local
clock.
5. Limited: When the rate of NTP packets exceeds the upper limit, incoming NTP
packets are discarded.
Kiss-of-Death
The KOD function can perform access control if enabled on the server. This is
useful when a server's loadbearing capabilities are exceeded by receiving a
significant number of client access packets within a specified time period. KOD is a
modern access control technology implemented in NTPv4. It is used by the server
to provide information to the client. Information provided includes status reports
and access control.
A KOD packet is a unique variety of NTP packet. The packet is termed a KOD
packet when the stratum field in an NTP packet is 0. The ASCII message it conveys
is called a kiss code and represents access control information. Two types of kiss
codes are supported: DENY and RATE.
With the KOD function enabled on a server, the server sends kiss code DENY or
RATE to the client based on configuration. These codes perform the following:
● When the client receives kiss code DENY, the client terminates all connections
to the server and stops sending packets to the server.
● When the client receives kiss code RATE, the client immediately reduces its
polling interval to the server and continues to reduce the interval if receiving
subsequent RATE kiss codes.
NOTE
After the KOD function is enabled, the corresponding ACL rule needs to be configured. With
the ACL rule configured to deny, the server sends the DENY kiss code. When the ACL rule is
configured as permit and the number of NTP packets received reaches configured upper
limits, the server sends the RATE kiss code.
Authentication
NTP authentication is applicable to the networks requiring high security. Different
keys may be configured for different operating modes.
When NTP authentication is enabled in certain NTP operating modes, the system
records the key ID in that operating mode. Sending and receiving processes are
operating modes in authentication, and are defined as follows:
● Sending process
The system determines whether authentication is required in this operating
mode. If authentication is not required, the system directly sends a packet. If
authentication is required, the system encrypts the packet using both the key
ID and an encryption algorithm before sending it.
● Receiving process
In this operating mode, the system determines whether the packet needs to
be authenticated after receiving that packet. If authentication is not required,
the system subsequently processes the packet. If authentication is required,
the system authenticates the packet using the key ID and a decryption
algorithm. If authentication fails, the system discards the packet. If
authentication succeeds, the system processes the received packet.
Application in VPN
Figure 13-9 shows NTP service application. Both CE A and CE B belong to VPN 2.
CE B is used as an NTP unicast server, CE A is used as an NTP unicast client, and
NTP time synchronization is implementable between CE B and CE A.
Licensing Requirements
NTP is a basic feature of a switch and is not under license control.
NOTE
For details about software mappings, visit Hardware Center and select the desired product
model.
The S5731-L and S5731S-L are remote units and do not support web-based management,
YANG, or commands. They can be configured only through configuration delivery by the
central device. For details, see "Simplified Architecture Configuration (the Solar System
Solution)" in the S300, S500, S2700, S5700, and S6700 V200R023C00 Configuration Guide -
Device Management.
Feature Limitations
● The existing configuration will not be deleted when the NTP service is
disabled.
● If the device does not support Real-Time Clock (RTC), it is recommended that
you configure NTP to ensure time accuracy in logs. The following models do
not support RTC:
S2720-EI, S2750-EI, S5700-10P-LI-AC, S5700-10P-PWR-LI-AC, S5700-28P-LI-
BAT, S5700-28P-LI-24S-BAT, S5720-LI, S5720S-LI, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5720I-6X-PWH-SI-AC,
S5720I-10X-PWH-SI-AC, S5720I-12X-SI-AC, S5720I-12X-PWH-SI-DC, S5735-S-I
● If the switch does not support RTC, manually set the device time. If the switch
is powered off and restarts, the device time will become inaccurate. You need
to manually set the device time again.
Pre-configuration Tasks
Before configuring the basic NTP functions, configure the network layer address
and routing protocol of each interface. This ensures that destinations of NTP
packets are reachable.
Configuration Procedure
Basic NTP configuration contains both the configuration and operating mode of
the NTP primary clock.
NOTE
When the local clock is configured as the reference clock, the local device clock can be used
to synchronize other device clocks on the network. Ensure there are no conflicts with this
configuration to avoid network errors.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ntp-service refclock-master [ ip-address ] [ stratum ]
The local clock is configured as the NTP primary clock.
By default, an NTP primary clock is not specified.
----End
NOTE
Procedure
● Unicast Client/Server Mode
NOTE
In the unicast client/server mode, only the client and the NTP primary clock on the
server require configuration.
Once the server clock is synchronized, the server can function as a clock server. Other
devices can then be synchronized to that server. When the clock stratum of the server
is greater than or equal to the clock stratum of the client, the client will not
synchronize to the server.
To configure multiple servers, run the ntp-service unicast-server command
repeatedly. The optimal clock is that which the client selects as the preferred clock.
If the port parameter is specified, specify the same port number on the
server using the ntp-service port port-value command.
● Symmetric Peer Mode
NOTE
Only the IP address of the symmetric passive peer on the symmetric active peer
requires specification. Both symmetric peers use this IP address when exchanging NTP
packets.
Either the symmetric active or symmetric passive peer must be in the synchronized
state. They cannot be synchronized without one in synchronized state.
To configure multiple symmetric passive peers, run the ntp-service unicast-peer
command repeatedly. When multiple symmetric passive peers are configured for a
symmetric active peer, the synchronization direction follows the rule that symmetric
peers of higher strata are synchronized with symmetric peers of lower strata.
a. Run system-view
If the port parameter is specified, specify the same port number on the
passive peer using the ntp-service port port-value command.
● Broadcast Mode
NOTE
a. Run system-view
The interface for sending NTP broadcast packets is specified, and the
interface view is displayed.
c. Run ntp-service broadcast-server [ version number | authentication-
keyid key-id | port port-number | subnet-broadcast ] *
If the port parameter is specified, specify the same port number on the
broadcast client using the ntp-service port port-value command.
a. Run system-view
The interface for receiving NTP broadcast packets is specified, and the
interface view is displayed.
c. Run ntp-service broadcast-client
The multicast client can synchronize with the multicast server only after the clock of
the multicast server is synchronized. A maximum of 128 multicast servers can be
configured on the device.
A maximum of 1024 multicast clients can be configured, and a maximum of 128
multicast clients can operate simultaneously.
a. Run system-view
The interface for sending NTP multicast packets is specified, and the
interface view is displayed.
c. Run
If the port parameter is specified, specify the same port number on the
manycast server using the ntp-service port port-value command.
----End
Context
After NTP-related commands are configured on a device, the device automatically
disables the NTP server function. This prevents external devices from
synchronizing their clocks with the device clock. The device also records the ntp-
service server disable and ntp-service ipv6 server disable commands to its
configuration file. To use the device as an NTP server, enable the NTP server
function on it.
Procedure
Step 1 Run system-view
----End
Prerequisites
All basic NTP functions have been configured.
Procedure
● Run the display ntp-service status command to view the NTP service status.
● Run the display ntp-service sessions [ verbose ] command to view the NTP
session status.
● Run the display ntp-service trace command to view the path from the local
device to the reference clock source.
● Run the display ntp-service statistics packet [ ipv6 | peer [ ip-address
[ vpn-instance vpn-instance-name ] | ipv6 [ ipv6-address [ vpn-instance
vpn-instance-name ] ] ] ] command to view statistics about NTP packets or
symmetric peers.
----End
Procedure
Step 1 Run system-view
NOTE
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support max-sys-poll max-sys-poll-value and
spike-offset spike-offset-value parameters.
----End
Prerequisites
All basic NTP functions have been configured.
NOTE
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ntp-service [ ipv6 ] source-interface interface-type interface-number [ vpn-
instance vpn-instance-name ]
The local source interface for sending and receiving NTP packets is configured.
By default, the local source interface for sending NTP packets is not specified. The
source IP address of an NTP packet is selected based on route.
In manycast, broadcast and multicast modes, the NTP service is performed on the
source interface and the ntp-service source-interface command does not take
effect.
If the specified NTP source interface is in Down state, the source IP address of a
sent NTP packet is the primary IP address of the outbound interface.
----End
Prerequisites
All basic NTP functions have been configured.
Context
In both unicast client/server mode and symmetric peer mode, connections are
established using command lines. These connections are static sessions. Dynamic
sessions are established in broadcast mode and multicast mode. Configured limits
on the number of local dynamic sessions are enforced.
NOTE
The ntp-service max-dynamic-sessions command does not affect existing NTP sessions. When
the number of local dynamic NTP sessions exceeds the limit, new sessions cannot be
established.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ntp-service max-dynamic-sessions number
----End
Prerequisites
All basic NTP functions have been configured.
Configuration Procedure
The following configuration tasks can be performed in any sequence.
Context
Disable receipt of NTP packets by interfaces connected to external devices in the
following scenarios:
● When an unreliable clock server exists on the interface. By default, after the
NTP function is enabled, all interfaces can receive NTP packets. An unreliable
clock source makes NTP clock data inaccurate.
● When the NTP clock data has been modified by a malicious attack on the
interface.
Procedure
Step 1 Run system-view
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure the basic ACL.
Before configuring the access control authority, create a basic ACL. For details and
procedures, see ACL Configuration in the S300, S500, S2700, S5700, and S6700
V200R023C00 Configuration Guide - Security.
Step 3 Run ntp-service access { peer | query | server | synchronization | limited } { acl-
number | ipv6 acl6-number } *
The access control authority of the NTP service is configured.
By default, no access control authority is set.
NOTE
Verify that the ACL rule has been configured before beginning configuration of the NTP
access control authority in the ACL. If the ACL rule is permit, the peer device with the
source IP address specified in this rule can access the NTP service on the local device. The
access rights of the peer device are configured using the ntp-service access command.
When the ACL rule is deny, the peer device with the source IP address specified in this rule
cannot access the NTP service on the local device.
The minimum inter-packet interval and the average inter-packet interval of NTP
are configured.
By default, the minimum inter-packet interval of NTP is set to the first power of 2
in seconds, namely, 2 seconds, and the average inter-packet interval of NTP is set
to the fifth power of 2 in seconds, namely, 32 seconds.
----End
Context
KOD is a modern access control technology implemented in NTPv4. It is used by
the server to provide information to the client. The information provided includes
status reports and access control.
With KOD enabled on the server, the server will send either the DENY or RATE kiss
code to the client, according to the operating status of the system.
● When receiving the kiss code DENY, the client terminates all connections to
the server, and stops sending packets to the server.
● When receiving the kiss code RATE, the client immediately reduces its polling
interval to the server. The client will continue to reduce the interval if
receiving subsequent RATE kiss codes.
NOTE
Procedure
Step 1 Run system-view
Before configuring the access control authority, create a basic ACL. For the
creation procedure, see ACL Configuration in the S300, S500, S2700, S5700, and
S6700 V200R023C00 Configuration Guide - Security.
NOTE
Before enabling control on the rate of incoming NTP packets, check the ACL rule
configuration. When the ACL rule is deny, the server sends the kiss code DENY. When the
ACL is permit and the rate of incoming NTP packets reaches the upper threshold, the server
sends the kiss code RATE.
----End
In NTP symmetric peer mode, the symmetric active peer functions as a client and the
symmetric passive peer functions as a server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ntp-service authentication enable
The NTP authentication function is enabled.
Step 3 Run ntp-service authentication-keyid key-id authentication-mode { md5 |
hmac-sha256 } [ cipher ] password
The NTP authentication key is configured.
Step 4 Run ntp-service reliable authentication-keyid key-id
The reliable key is specified.
----End
Follow-up Procedure
After NTP authentication configuration is complete, apply the NTP authentication
key in Configuring NTP Operating Modes by specifying the authentication-
keyid parameter.
Procedure
● Run the display current-configuration | include ntp command to view NTP
configuration.
● Run the display ntp-service status command to view the NTP service status.
● Run the display ntp-service sessions [ verbose ] command to view the NTP
session status.
----End
NTP statistics cannot be recovered after being cleared with the reset ntp-service statistics
packet command. Exercise caution when using this command.
Procedure
● Run the reset ntp-service statistics packet [ ipv6 | peer [ ip-address [ vpn-
instance vpn-instance-name ] | ipv6 [ ipv6-address [ vpn-instance vpn-
instance-name ] ] ] ] command to clear statistics on NTP packets or
symmetric peers.
----End
Procedure
● Run the display ntp-service statistics packet [ ipv6 | peer [ ip-address
[ vpn-instance vpn-instance-name ] | ipv6 [ ipv6-address [ vpn-instance
vpn-instance-name ] ] ] ] command to view statistics on NTP packets or
symmetric peers.
● Run the display ntp-service status command to view the NTP status.
● Run the display ntp-service sessions [ verbose ] command to view all
session information maintained by the local NTP service.
● Run the display ntp-service trace command to view the path from the local
device to the reference clock source.
● Run the display ntp-service event clock-unsync command to view causes of
the last 10 failed clock synchronizations.
----End
Figure 13-11 Configuring the NTP unicast server/client mode with NTP
authentication enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SwitchA as the NTP master clock server.
2. Configure the NTP unicast server/client mode to synchronize the clocks of
SwitchA, SwitchB, and SwitchC. Configure SwitchA as the NTP server and
SwitchB and SwitchC as NTP clients.
3. Enable NTP authentication to ensure NTP clock synchronization security.
NOTE
When configuring NTP authentication in the unicast server/client mode, enable NTP
authentication on the client, and specify the NTP server's IP address and the authentication
key sent to the server. Otherwise, NTP authentication is not performed, and the NTP server
and client directly synchronize their clocks.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC and ensure that they
have reachable routes to each other.
# Configure an IP address and a route on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] quit
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] ip route-static 10.1.2.0 24 10.1.1.2
Step 2 On SwitchA, configure the NTP master clock and enable NTP authentication.
# Configure the local clock of SwitchA as the master clock, and set the clock
stratum to 2.
[SwitchA] ntp-service refclock-master 2
# Enable NTP authentication, configure the authentication key, and declare that
the key is reliable.
[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher Hello123
[SwitchA] ntp-service reliable authentication-keyid 42
Step 3 On SwitchB, enable NTP authentication, configure the authentication key, declare
that the key is reliable, and specify SwitchA as the NTP server.
[SwitchB] ntp-service authentication enable
[SwitchB] ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher Hello123
[SwitchB] ntp-service reliable authentication-keyid 42
[SwitchB] ntp-service unicast-server 10.1.1.1 authentication-keyid 42
Step 4 On SwitchC, enable NTP authentication, configure the authentication key, declare
that the key is reliable, and specify SwitchA as the NTP server.
[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher Hello123
# Check the NTP status of SwitchB. The clock status is synchronized, indicating
that the clock synchronization is complete. The clock stratum is 3, which is one
stratum lower than that of the NTP server SwitchA.
[SwitchB] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.1.1.1
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^18
clock offset: -1.6796 ms
root delay: 2.71 ms
root dispersion: 21.87 ms
peer dispersion: 10.94 ms
reference time: 08:54:44.160 UTC Nov 22 2013(D6399A54.29247CB7)
synchronization state: clock synchronized
# Check the NTP status of SwitchC. The clock status is synchronized, indicating
that the clock synchronization is complete. The clock stratum is 3, which is one
stratum lower than that of the NTP server SwitchA.
[SwitchC] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.1.1.1
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^18
clock offset: 13.6320 ms
root delay: 2.71 ms
root dispersion: 2.76 ms
peer dispersion: 10.94 ms
reference time: 08:57:44.160 UTC Nov 22 2013(D6399E4E.052B2BFD)
synchronization state: clock synchronized
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
#
return
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the local clock of SwitchA as the NTP master clock.
2. Configure the NTP unicast server/client mode to synchronize the clocks of
SwitchB and SwitchA. Configure SwitchA as the NTP server and SwitchB as the
NTP client.
3. Configure the NTP symmetric peer mode to synchronize the clocks of SwitchB
and SwitchC. Configure SwitchC as the symmetric active peer that sends a
clock synchronization request to SwitchB.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC.
Configure an IP address for each interface according to Figure 13-12. After the
configuration is complete, SwitchA, SwitchB, and SwitchC can ping each other.
# Configure an IP address for SwitchA. The configurations of SwitchB and SwitchC
are similar to the configuration of SwitchA, and are not mentioned here. For
details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
After the configuration is complete, SwitchB can synchronize its clock with the
clock of SwitchA.
Check the NTP status of SwitchB. The clock status is synchronized, indicating that
the clock synchronization is complete. The clock stratum is 3, which is one stratum
lower than that of SwitchA.
[SwitchB] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.0.0.1
nominal frequency: 64.0029 Hz
actual frequency: 64.0029 Hz
clock precision: 2^7
clock offset: 0.0000 ms
root delay: 62.50 ms
root dispersion: 0.20 ms
peer dispersion: 7.81 ms
reference time: 06:52:33.465 UTC Mar 7 2006(C7B7AC31.773E89A8)
synchronization state: clock set
Because SwitchC is not configured with a master clock and its clock stratum is
lower than that of SwitchB, SwitchC synchronizes its clock with the clock of
SwitchB.
Step 5 Verify the configuration.
# Check the clock status of SwitchC. The clock status is synchronized, indicating
that the clock synchronization is complete. The clock stratum of SwitchC is 4,
which is one stratum lower than that of the symmetric passive peer SwitchB.
[SwitchC] display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 10.0.0.2
nominal frequency: 64.0029 Hz
actual frequency: 64.0029 Hz
clock precision: 2^7
clock offset: 0.0000 ms
root delay: 124.98 ms
root dispersion: 0.15 ms
peer dispersion: 10.96 ms
reference time: 06:55:50.784 UTC Mar 7 2006(C7B7ACF6.C8D002E2)
synchronization state: clock set but frequency not determined
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
ntp-service ipv6 server disable
ntp-service refclock-master 2
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
interface Vlanif10
ip address 10.0.0.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
Figure 13-13 Configuring the NTP broadcast mode with NTP authentication
enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SwitchA as the master clock server, use its local clock as the NTP
master clock, and set the clock stratum to 3.
2. Configure SwitchA as the NTP broadcast server that sends broadcast packets
through VLANIF 10 (the corresponding physical interface is GE0/0/1).
3. Configure SwitchB and SwitchC as NTP broadcast clients.
4. Enable NTP authentication to ensure NTP clock synchronization security.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC.
# Configure an IP address for SwitchA. The configurations of SwitchB and SwitchC
are similar to the configuration of SwitchA, and are not mentioned here. For
details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ip address 10.0.0.1 24
[SwitchA-Vlanif10] quit
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type hybrid
[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet0/0/1] quit
Step 3 Configure the NTP broadcast server and enable NTP authentication.
# Configure the local clock of SwitchA as the NTP master clock, and set the clock
stratum to 3.
[SwitchA] ntp-service refclock-master 3
# Configure SwitchA as the NTP broadcast server that sends NTP broadcast
packets from VLANIF 10, and specify key 16 for encryption.
[SwitchA] interface vlanif 10
[SwitchA-Vlanif10] ntp-service broadcast-server authentication-keyid 16
[SwitchA-Vlanif10] quit
Step 4 Configure SwitchB as an NTP broadcast client, which is on the same network
segment as the NTP server.
Step 5 Configure SwitchC as an NTP broadcast client, which is on the same network
segment as the NTP server.
After the configuration is complete, SwitchB and SwitchC can synchronize their
clocks to the clock of SwitchA.
# Check the NTP status of SwitchC. The clock status is synchronized, indicating
that the clock synchronization is complete. The clock stratum is 4, which is one
stratum lower than that of the NTP server SwitchA.
[SwitchC] display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 10.0.0.1
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.42 ms
peer dispersion: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2012(C7B7F851.C5EAF25B)
synchronization state: clock synchronized
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
ntp-service ipv6 server disable
ntp-service authentication enable
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %^%#uLLi;!
VFkMLO;SAD#:~GS=:/UzP~}1lS2'KT2,.T%^%#
ntp-service reliable authentication-keyid 16
ntp-service refclock-master 3
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
ntp-service broadcast-server authentication-keyid 16
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SwitchC as the master clock server, use its local clock as the NTP
master clock, and set the clock stratum to 2.
2. Configure SwitchC as the NTP multicast server that sends multicast packets
through VLANIF 10 (the corresponding physical interface is GE0/0/1).
3. Configure SwitchA and SwitchB as NTP multicast clients. Configure SwitchA to
listen to multicast packets on VLANIF 10 (the corresponding physical interface
is GE0/0/2). Configure SwitchB to listen to multicast packets on VLANIF 10
(the corresponding physical interface is GE0/0/1).
Procedure
Step 1 Configure an IP address for each interface according to Figure 13-14 and ensure
that the switches have reachable routes to each other.
# Configure an IP address on SwitchB. The configurations of SwitchC and SwitchA
are similar to the configuration of SwitchB, and are not mentioned here. For
details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type hybrid
[SwitchB-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.1.1.1 24
[SwitchB-Vlanif10] quit
# Configure the local clock of SwitchC as the NTP master clock, and set the clock
stratum to 2.
[SwitchC] ntp-service refclock-master 2
# Configure SwitchC as the NTP multicast server that sends NTP multicast packets
through VLANIF 10.
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ntp-service multicast-server
[SwitchC-Vlanif10] quit
Step 4 Configure SwitchA and SwitchB as NTP multicast clients, which are on the same
network segment as the NTP multicast server.
After the configuration is complete, SwitchA and SwitchB can synchronize their
clocks with the clock of SwitchC.
# Check the NTP status of SwitchC. The clock stratum is 2 and the reference clock
is LOCAL, indicating that the local clock functions as the reference clock.
[SwitchC] display ntp-service status
clock status: synchronized
clock stratum: 2
reference clock ID: LOCAL(0)
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^17
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 10.95 ms
peer dispersion: 10.00 ms
reference time: 12:25:19.710 UTC Nov 19 2013(D635D72F.B5F41AEF)
synchronization state: clock synchronized
# Check the NTP status of SwitchA. The clock status is synchronized, indicating
that the clock synchronization is complete. The clock stratum is 3, which is one
stratum lower than that of the NTP server SwitchC.
[SwitchA] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.1.3.2
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 40.00 ms
root dispersion: 4.38 ms
peer dispersion: 34.30 ms
reference time: 12:17:21.773 UTC Mar 7 2013(C7B7F851.C5EAF25B)
synchronization state: clock synchronized
# Check the NTP status of SwitchB. The clock status is synchronized, indicating
that the clock synchronization is complete. The clock stratum is 3, which is one
stratum lower than that of the NTP server SwitchC.
[SwitchB] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.1.3.2
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.42 ms
peer dispersion: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2013(C7B7F851.C5EAF25B)
synchronization state: clock synchronized
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
ntp-service server disable
ntp-service ipv6 server disable
#
interface Vlanif10
ip address 10.1.3.1 255.255.255.0
ntp-service multicast-client
#
interface GigabitEthernet0/0/2
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10
#
ntp-service server disable