01-13 NTP Configuration

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Device Management 13 NTP Configuration
13 NTP Configuration
13.1 Overview of NTP

13.2 Understanding NTP
13.3 Application Scenarios for NTP
13.4 Licensing Requirements and Limitations for NTP
13.5 Configuring Basic NTP Functions
13.6 Configuring the Client Clock
13.7 Configuring the Local Source Interface for Sending and Receiving NTP Packets
13.8 Limiting the Number of Local Dynamic Sessions
13.9 Configuring NTP Access Control
13.10 Maintaining NTP
13.11 Configuration Examples for NTP
13.1 Overview of NTP
Definition
Network Time Protocol (NTP) is an application layer protocol belonging to the
Transmission Control Protocol/Internet Protocol (TCP/IP) suite. NTP synchronizes
time between time servers and clients. NTP implementation is based on Internet
Protocol (IP) and User Datagram Protocol (UDP). NTP transmission occurs through
UDP port 123.
Purpose
As network topologies become increasingly complex, clock synchronization
becomes more important for all devices within a network. Manual configuration
of system clocks by network administrators is both labor-intensive and error-
prone, potentially affecting clock precision. NTP operates as a network protocol
which synchronizes the clocks of devices within a network.
Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 735

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NTP is applied when all devices on a network require consistency between their
clocks, such as in the following situations:
● When in network management, routers require timestamps on analysis logs
and debugging messages collected from different routers.
● When an accounting system requires that all device clocks be consistent.
● When multiple systems must reference the same clock when operating
together to process complicated events.
● When performing incremental backup, a backup server and clients require
synchronization between clocks.
● When certain applications require access to user login or file modification
times.
NOTE
Switch can function as both the NTP server and NTP client.
Version Evolution
NTP evolved from a simple time protocol using the ICMP Timestamp message.
NTP has grown in complexity, now maintaining time synchronization with
improved security and reliability. Table 13-1 lists the NTP versions and their
updates.
Table 13-1 NTP version evolution
V Date Stand Description

er ard
si
o
n
N June RFC NTPv1 encompasses complete NTP rules and algorithms,

T 1988 1059 but does not support authentication and control
Pv messages.
1
N Septem RFC In addition to encompassing complete NTP rules and

T ber 1119 algorithms, NTPv2 supports authentication and control
Pv 1989 messages.
2
N March RFC NTPv3 utilizes correctness rules while improving clock

T 1992 1305 selection and filter algorithms. NTPv3 has been widely
Pv adopted, and only operates on an IPv4 network.
3
N June RFC While similar to NTPv3, NTPv4 operates on both IPv4

T 2010 5905 and IPv6 networks. NTPv4 is backward compatible with
Pv NTPv3, and provides a complete encryption and
4 authentication system, which is lacking in NTPv3.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
13.2 Understanding NTP
13.2.1 NTP Fundamentals

In Figure 13-1, the NTP client and server are connected to each other. The clock
systems of each are independent, and system clock synchronization utilizes NTP.
The characteristics of these clocks are as follows:
● Prior to the synchronization of system clocks, the clock of the NTP client is set
to Ta and the clock of the NTP server is set to Tb.
● The NTP server functions as the NTP clock server. The NTP client requires
clock synchronization with the NTP clock server, which is in this case the NTP
server.
● It is assumed that the precision of system clocks on both the NTP client and
server is 0. A precision of 0 denotes complete precision.
Figure 13-1 NTP implementation
NTP implementation follows these steps:

1. The NTP client sends an NTP request to the NTP server at time 1 (T1). This
packet carries timestamp T1, which is the departure time of the packet from
the client.
2. The request packet is received and processed by the NTP server. Time 2 (T2) is
added to the packet.
3. The NTP server sends an NTP reply packet at time 3 (T3). T3 is added to the
packet.
4. The NTP client receives the reply packet at time (T4).
Through the preceding interaction, the NTP client obtains four time parameters:
T1, T2, T3, and T4. The time difference must be adjusted by the NTP client. As the

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
clocks of the NTP client and server are precise, the time difference can be
calculated using the following formulas:
1. Calculate the time (Delay) taken sending an NTP packet from the client to
server using the following formula:
Delay = [(T4 - T1) - (T3 – T2)]/2
2. Calculate the time difference (Offset) between the clocks of client and server.
At T4, for example, the server clock is T3 + Delay. The Offset is calculated
using the following formula:
T4 + Offset = T3 + Delay
To calculate Offset, the above formula can be converted algebraically as
follows:
Offset = T3 + Delay - T4
Entering example values, the final formula is as follows:
T3 + [(T4 - T1) - (T3 - T2)]/2 – T4 = [(T2 - T1) + (T3 – T4)]/2
The NTP client clock will be adjusted based on the Offset. This synchronizes the
NTP client clock with the server.
NOTE
Clocks in the preceding description are precise. However, this cannot be assumed of all
client and server clocks, as clocks may differ. RFC 1305 defines complex algorithms,
allowing NTP to ensure the precision of clock synchronization.
Comparisons between synchronous Ethernet and other clock

synchronization protocols
Clock Whether Whether Time Signal
Protocol Frequency Time Synchronizati Transmission
Synchronizati Synchronizati on Accuracy Mode
on Is on Is
Supported Supported
NTP No Yes Millisecond Time signals

accuracy are
transmitted
using NTP
packets.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Clock Whether Whether Time Signal

Protocol Frequency Time Synchronizati Transmission
Synchronizati Synchronizati on Accuracy Mode
on Is on Is
Supported Supported
Synchronous Yes No - Clock signals

Ethernet are
transmitted
using serial
data streams
at the
physical layer,
without
affecting
upper-layer
services and
CPU
performance.
PTP Yes Yes Sub- Clock and

microsecond time signals
accuracy are
transmitted
using PTP
packets, and
higher time
accuracy is
achieved with
the assistance
of hardware.
13.2.2 Network Architecture

Key concepts of NTP architecture and their functions include the following:
● Primary time server
Directly synchronizes its clock with a standard reference clock through a cable
or radio. Typically, the standard reference clock is either a radio clock or the
Global Positioning System (GPS).
● Secondary time server
Synchronizes its clock with either the primary time server or other secondary
time servers within the network. A secondary time server transmits the time
information to other hosts within the local area network (LAN) through NTP.
● Stratum
A hierarchical standard for clock synchronization. It represents the precision of
a clock. The value of a stratum ranges from 1 to 16. A smaller value indicates
higher precision. The value 1 indicates the highest precision, and 16 indicates
that the clock is not synchronized.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● Synchronization subnet
Consists of the primary time server, secondary time servers, PC clients, and
interconnecting transmission paths displayed in Figure 13-2.
Figure 13-2 NTP architecture
Under typical circumstances within a synchronization subnet, the primary time

server and the secondary time servers are arranged in a hierarchical-master-slave
structure. In this structure, the primary time server is located at the root, and the
secondary time servers are located near leaf nodes. As their stratum increases,
their precision decreases accordingly. The decreased precision of the secondary
time servers varies based upon both network path and local clock stability.
NOTE
When the synchronization subnet has multiple primary time servers, the optimal server is
selected.
The design of NTP architecture ensures that:

● The synchronization subnet will automatically be reconstructed into another
hierarchical-master-slave structure when faults occur. These can occur on one
or more primary or secondary time servers, or any of the network paths
connecting them. This reconstruction ensures the most precise and reliable
time possible.
● When all primary time servers in the synchronization subnet are invalid, a
standby primary time server will temporarily replace it. Other secondary time
servers are synchronized among themselves. These secondary time servers
become independent of the synchronization subnet and automatically run at
the last synchronized time and frequency.
● When a switch with a stable oscillator becomes independent of the
synchronization subnet for a defined period of time, its timing error will
remain below several milliseconds per day. This is due to highly precise
calculations.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
13.2.3 Operating Modes

To perform time synchronization, a device may utilize multiple NTP operating
modes. These modes are as follows:
● Unicast Server/Client Mode
● Peer Mode
● Broadcast Mode
● Multicast Mode
● Manycast Mode
Select appropriate NTP operating modes as required.
Unicast Server/Client Mode

Within a synchronous subnet, unicast server/client mode runs on a higher stratum.
In this mode, devices are required to obtain the server IP address in advance. In
unicast, hosts running in client or server mode perform the following functions:
● Client
Hosts running in client mode will periodically send packets to the server. The
Mode field of the packets has a value of 3. This indicates that the packets are
being sent by a client. Upon receiving a reply packet, the client filters clock
signals. It then selects usable clock signals, and synchronizes its clock with the
server providing the optimal clock. A client will not verify the reachability and
stratum of the server. Typically, a host running in client mode is a workstation
within a network. Clock synchronization is performed between the client and
the server but the server clock is not altered.
● Server
Hosts running in server mode receive packets from clients and then reply to
these packets. The Mode field in reply packets has a value of 4. This indicates
that the packets are being sent from a server. Typically, a host running in
server mode is a clock server within a network. Server mode hosts provide
synchronization information for clients but do not alter their own clocks.
Figure 13-3 Unicast client/server mode

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
During and after a restart, a host operating in client mode will periodically send
NTP request messages to the host operating in server mode. Following receipt of
an NTP request message, the server will:
● Swap the position of destination IP address and source IP address.
● Swap the position of source port number and destination port number.
● Fill in the necessary information.
● Send the message to the client.
It is not required that the server retains state information. The client will freely
adjust the interval for sending NTP request messages according to local
conditions.
Peer Mode
In peer mode, active and passive peers perform the following functions:
● Active peer
A host that functions as an active peer will periodically send packets. The
value of the Mode field in a packet has a value of 1. This indicates that the
packet was sent by an active peer, without consideration for whether peers
are reachable and stratum of peers. Active peers can provide time information
about the local clock to peers. They may also synchronize time information of
the local clock based on that of the peer clock.
● Passive peer
A host that functions as a passive peer will receive packets from the active
peer and send reply packets. The value of the Mode field in a reply packet has
a value of 2. This indicates that the packet was sent by a passive peer. Passive
peers can provide time information about the local clock to peers. They may
also synchronize time information of the local clock based on that of the peer
clock.
The peer mode operates on a lower stratum within a synchronous subnet. In peer
mode, an active peer and a passive peer can synchronize with each other. The peer
with the higher stratum (a lower level) synchronizes with the peer with a lower
stratum (a higher level).
Before devices enter the peer mode, the following occurs:
1. Active peers in this mode send NTP packets. The Mode field will have a value
of 3 (the client mode).
2. Passive peers respond with NTP packets. The Mode field will have a value of 4
(the server mode).
This interaction will create a network delay, allowing devices at both ends to enter
the peer mode.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 13-4 Peer mode
NOTE
The passive peer does not require configuration. A host establishes a connection and sets
relevant state variables only after receiving an NTP packet.
Broadcast Mode
Broadcast mode is applied to a high-speed network that has multiple
workstations, but only when the network does not require high precision. In
typical scenarios, one or more clock servers on a network will periodically send
broadcast packets to the workstations. The delay of packet transmission within a
LAN is measured at the millisecond level. In broadcast mode, clients and servers
perform the following functions:
● Broadcast server
A host running in broadcast mode will send clock synchronization packets to
the broadcast address 255.255.255.255 (full broadcast mode) or the broadcast
address of the network segment to which the interface IP address belongs
(subnet broadcast mode) periodically. The Mode field in a packet has a value
of 5. This indicates that the packet was sent by a host running in broadcast or
multicast mode, without considering whether peers are reachable and on
which stratum the peers are located. Hosts running in broadcast mode are
typically clock servers running high-speed broadcast media over networks.
They provide synchronization information to all peers, but do not alter their
own clocks.
● Broadcast client
Clients process clock synchronization packets received from the server. When
the first clock synchronization packet is received by the client, the client and
server exchange NTP packets with Mode fields which have a value of 3 (sent
by the client). They will also exchange NTP packets with Mode fields which
have a value of 4 (sent by the server). During this process, the client enables

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
server/client mode for a short time, allowing information exchange with the
remote server. This allows the client to determine the network delay between
client and server. Following this, the client returns to broadcast mode,
resuming analysis of incoming clock synchronization packets and
synchronizing the local clock.
Figure 13-5 Broadcast mode
Multicast Mode
Multicast mode is used when a significant number of clients are distributed
throughout a network. This normally results in large number of NTP packets in the
network. In multicast mode, a single NTP multicast packet can potentially reach
all the clients on the network and reduce the control traffic on the network.
● Multicast server: A server running in multicast mode sends clock

synchronization packets to a multicast address periodically. The value of the
Mode field in a packet is set to 5. This indicates that the packet is sent by a
host that runs in broadcast or multicast mode. The host running in multicast
mode is usually a clock server running high-speed broadcast media on the
network, which provides synchronization information for all of its peers but
does not alter the clock of its own.
● Multicast client: The client listens to the multicast packets from the server.
When the client receives the first broadcast packet, the client and server
exchange NTP packets whose values of Mode fields are 3 (sent by the client)
and the NTP packets whose values of Mode fields are 4 (sent by the server).
In this process, the client enables the server/client mode for a short time to
exchange information with the remote server. This allows the client to obtain
the network delay between the client and the server. Then, the client returns
the multicast mode, and continues to sense the incoming multicast packets to
synchronize the local clock.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 13-6 Multicast mode
Manycast Mode
Manycast mode is applied when a small set of servers are scattered throughout a
network. Clients are able to discover and then synchronize with the closest
manycast server. Manycast is especially useful when the server frequently changes,
which will cause reconfigurations of all clients within the network.
● Manycast server
The manycast server continuously analyzes incoming packets. If server
synchronization is possible, the server will return a packet with the Mode field
set to 4 using the unicast address of the client as the destination address.
● Manycast client
The manycast client periodically sends request packets with the Mode field set
to 3 to an IPv4/IPv6 multicast address. After receiving a reply packet, the
client filters and selects clock signals, and then synchronizes its clock with the
server which provides the optimal clock.
To prevent the client from constantly sending NTP request packets to the
manycast server, which causes excessive resource consumption, the NTP protocol
defines a minimum number of connections. In manycast mode, the client records
the number of connections established every time it synchronizes clock with the
server. The minimum number of connections is the minimum number of
connections used during a synchronization process. If the number of connections
used by the client reaches the minimum number during subsequent
synchronization processes and the synchronization has finished, the client
considers synchronization to be completed. The client sends a packet every time a
timeout period expires to maintain the connection. The NTP protocol uses the
time to live (TTL) to ensure successful time synchronization with the server. The
TTL process follows these steps:
1. When the client sends an NTP packet, the TTL of the packet increases from
the initial value of 1.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
2. TTL increases until either the minimum number of connections is reached or

the TTL value reaches the upper limit, 255.
3. If the TTL reaches the upper limit or the number of connections reaches the
minimum number, the client stops data transmission in a timeout period,
eliminating all connections. This occurs only if the synchronization process
cannot be completed by the client.
4. The client repeats the preceding process until synchronization occurs.
NOTE
In NTP implementation, a peer structure is established for each synchronization source.

These peer structures are stored as a chain in Hash form. Each peer structure corresponds
to a connection.
Figure 13-7 Manycast mode
13.2.4 NTP Access Control

On a synchronization subnet, timekeeping on other clock servers within the subnet
should not be affected by either a faulty time server or a malicious attack. To
meet this requirement, NTP provides advanced security mechanisms: access
authority, Kiss-o'-Death (KOD) and NTP authentication.
Access Authority
To protect local clocks, devices provide access authority, which is both simple and
secure.
NTP access control is implemented based on an access control list (ACL). NTP
supports up to five levels of access authority. An ACL rule may be specified for
each level of access authority. If an NTP access request matches an ACL rule, a
match occurs and the device requesting access is given access authority on that
level.
When NTP access requests reach the local end, assuming the access request was
successfully matched with an ACL, access authority is matched from the maximum
to minimum. The first successfully matched access authority takes effect. This
matching order and the access rights of each are as follows:

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
1. Peer: This indicates that a time request may be made and a control query
may be performed on the local clock. The local clock can also be synchronized
to a remote server.
2. Server: This indicates that a time request may be made and a control query
may be performed on the local clock. The local clock cannot be synchronized
with the clock of a remote server.
3. Synchronization: This indicates that time requests may be made of the local
clock.
4. Query: This indicates that control queries may be performed on the local
clock.
5. Limited: When the rate of NTP packets exceeds the upper limit, incoming NTP
packets are discarded.
Kiss-of-Death
The KOD function can perform access control if enabled on the server. This is
useful when a server's loadbearing capabilities are exceeded by receiving a
significant number of client access packets within a specified time period. KOD is a
modern access control technology implemented in NTPv4. It is used by the server
to provide information to the client. Information provided includes status reports
and access control.
A KOD packet is a unique variety of NTP packet. The packet is termed a KOD
packet when the stratum field in an NTP packet is 0. The ASCII message it conveys
is called a kiss code and represents access control information. Two types of kiss
codes are supported: DENY and RATE.
With the KOD function enabled on a server, the server sends kiss code DENY or
RATE to the client based on configuration. These codes perform the following:
● When the client receives kiss code DENY, the client terminates all connections
to the server and stops sending packets to the server.
● When the client receives kiss code RATE, the client immediately reduces its
polling interval to the server and continues to reduce the interval if receiving
subsequent RATE kiss codes.
NOTE
After the KOD function is enabled, the corresponding ACL rule needs to be configured. With
the ACL rule configured to deny, the server sends the DENY kiss code. When the ACL rule is
configured as permit and the number of NTP packets received reaches configured upper
limits, the server sends the RATE kiss code.
Authentication
NTP authentication is applicable to the networks requiring high security. Different
keys may be configured for different operating modes.
When NTP authentication is enabled in certain NTP operating modes, the system
records the key ID in that operating mode. Sending and receiving processes are
operating modes in authentication, and are defined as follows:
● Sending process
The system determines whether authentication is required in this operating
mode. If authentication is not required, the system directly sends a packet. If

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
authentication is required, the system encrypts the packet using both the key
ID and an encryption algorithm before sending it.
● Receiving process
In this operating mode, the system determines whether the packet needs to
be authenticated after receiving that packet. If authentication is not required,
the system subsequently processes the packet. If authentication is required,
the system authenticates the packet using the key ID and a decryption
algorithm. If authentication fails, the system discards the packet. If
authentication succeeds, the system processes the received packet.
13.3 Application Scenarios for NTP
Typical Application Scenario

On the network in Figure 13-8, SwitchA is accessing the NTP master clock server
to synchronize all clocks within the network. SwitchA is configured as the unicast
server, and SwitchB, SwitchC and SwitchD are configured as unicast clients.
SwitchE acts as a symmetric peer of both the upstream SwitchB and downstream
SwitchF.
Figure 13-8 Typical NTP networking

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Application in VPN
Figure 13-9 shows NTP service application. Both CE A and CE B belong to VPN 2.
CE B is used as an NTP unicast server, CE A is used as an NTP unicast client, and
NTP time synchronization is implementable between CE B and CE A.
Figure 13-9 NTP application in VPN
13.4 Licensing Requirements and Limitations for NTP

Involved Network Elements
Other network elements are required to support NTP.
Licensing Requirements
NTP is a basic feature of a switch and is not under license control.
Feature Support in V200R023C00

All models of S300, S500, S2700, S5700, and S6700 series switches support NTP.
NOTE
For details about software mappings, visit Hardware Center and select the desired product
model.
The S5731-L and S5731S-L are remote units and do not support web-based management,
YANG, or commands. They can be configured only through configuration delivery by the
central device. For details, see "Simplified Architecture Configuration (the Solar System
Solution)" in the S300, S500, S2700, S5700, and S6700 V200R023C00 Configuration Guide -
Device Management.
Feature Limitations
● The existing configuration will not be deleted when the NTP service is
disabled.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● If the device does not support Real-Time Clock (RTC), it is recommended that
you configure NTP to ensure time accuracy in logs. The following models do
not support RTC:
S2720-EI, S2750-EI, S5700-10P-LI-AC, S5700-10P-PWR-LI-AC, S5700-28P-LI-
BAT, S5700-28P-LI-24S-BAT, S5720-LI, S5720S-LI, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5720I-6X-PWH-SI-AC,
S5720I-10X-PWH-SI-AC, S5720I-12X-SI-AC, S5720I-12X-PWH-SI-DC, S5735-S-I
● If the switch does not support RTC, manually set the device time. If the switch
is powered off and restarts, the device time will become inaccurate. You need
to manually set the device time again.
13.5 Configuring Basic NTP Functions
Pre-configuration Tasks
Before configuring the basic NTP functions, configure the network layer address
and routing protocol of each interface. This ensures that destinations of NTP
packets are reachable.
Configuration Procedure
Basic NTP configuration contains both the configuration and operating mode of
the NTP primary clock.
13.5.1 Configuring an NTP Primary Clock

Context
The clock of a network device can be synchronized using the local clock or by
using the clock of another network device as a reference clock.
If both methods are enabled, the device selects the optimal clock source by
selecting the clock with the lower stratum.
For a synchronization subnet, an authoritative clock is used as a reference time
source and is at the top of the synchronization subnet hierarchy. The authoritative
clock is stratum0. The current authoritative clock is typically a radio clock or GPS.
The authoritative clock is synchronized through the broadcast Coordinated
Universal Time (UTC) time code rather than NTP.
In typical applications, the NTP server synchronized with the authoritative clock is
set as stratum1. The NTP server is used as the master reference clock source if the
local clock of the NTP server is configured as the NTP primary clock. The stratum
of the clock on a network device is determined by its NTP distance to the master
reference clock source. Typically, this distance is determined by the number of NTP
servers which compose the NTP synchronization chain.
Figure 13-10 shows a typical NTP synchronization subnet. SwitchA is the primary
clock with stratum 1. The clock synchronization direction is SwitchA —> SwitchB
—> SwitchC. SwitchC can synchronize with SwitchB only after SwitchB
synchronizes with SwitchA. After all the devices are synchronized, SwitchB is
stratum 2 and SwitchC is stratum 3.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 13-10 NTP synchronization subnet
NOTE
When the local clock is configured as the reference clock, the local device clock can be used
to synchronize other device clocks on the network. Ensure there are no conflicts with this
configuration to avoid network errors.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ntp-service refclock-master [ ip-address ] [ stratum ]
The local clock is configured as the NTP primary clock.
By default, an NTP primary clock is not specified.
----End
13.5.2 Configuring NTP Operating Modes

Context
The following NTP operating modes are supported by devices:

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Operating Usage Scenario Configuration

Mode
Unicast Within a synchronization subnet, the Only the client requires

client/ unicast client/server mode operates on configuration. The server
server a higher stratum. In this mode, the needs to be configured
mode server IP address must be obtained in with only an NTP
advance. primary clock.
The client can be
synchronized to the
server. The server cannot
be synchronized to the
client.
Symmetric Within a synchronization subnet, Only the symmetric

peer mode symmetric peer mode operates on a active peer requires
lower stratum. In this mode, configuration.
symmetric active and passive peers In symmetric peer mode,
can be synchronized with each other. symmetric peers of
higher strata are
synchronized to
symmetric peers of lower
strata.
Broadcast In broadcast mode, clock Relevant commands

mode synchronization can be implemented need to be run on both
when: the server and client.
● The IP addresses of servers or The client can be
symmetric peers are not synchronized to the
determined. server. The server cannot
● When the clocks of a large number be synchronized to the
of devices require synchronization client.
on a network.
Multicast Multicast mode applies to high-speed Relevant commands

mode networks with multiple clients but do need to be run on both
not require high precision. In a typical the server and client.
scenario, one or more clock servers on The client can be
the network periodically send synchronized to the
multicast packets to clients, and the server. The server cannot
clients synchronize time based on the be synchronized to the
multicast packets. client.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Operating Usage Scenario Configuration

Mode
Manycast Manycast mode applies to scenarios Relevant commands

mode where servers are scattered need to be run on both
throughout a network. Once the server and client.
discovered, the client can synchronize Note that the client can
with the closest manycast server. be synchronized to the
Manycast mode applies to scenarios server. The server cannot
where servers are unstable and be synchronized to the
network clients do not require client.
reconfiguration if server characteristics
or configuration change.
NOTE
Switches can function as both an NTP server and NTP client.

If a source address from which NTP packets are sent is specified on the server, the address
must be identical to the server IP address of the client. If these addresses differ, the client
will be unable to process the NTP packets sent by the server. This will result in clock
synchronization failure.
Procedure
● Unicast Client/Server Mode
NOTE
In the unicast client/server mode, only the client and the NTP primary clock on the
server require configuration.
Once the server clock is synchronized, the server can function as a clock server. Other
devices can then be synchronized to that server. When the clock stratum of the server
is greater than or equal to the clock stratum of the client, the client will not
synchronize to the server.
To configure multiple servers, run the ntp-service unicast-server command
repeatedly. The optimal clock is that which the client selects as the preferred clock.
Configure the unicast client.

a. Run system-view
b. Run
▪ ntp-service unicast-server ip-address [ version number |

authentication-keyid key-id | source-interface interface-type
interface-number | preference | vpn-instance vpn-instance-name |
maxpoll max-number | minpoll min-number | burst | iburst |
preempt | port port-number ] *
An NTP server with a specified IPv4 address is configured.
▪ ntp-service unicast-server ipv6 ipv6-address [ authentication-

keyid key-id | source-interface interface-type interface-number |
preference | vpn-instance vpn-instance-name | maxpoll max-

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
number | minpoll min-number | burst | iburst | preempt | port port-

number ] *
An NTP server with a specified IPv6 address is configured.
The value of ip-address or ipv6-address is the IP address of the NTP

server. It can be a host address but cannot be a broadcast or multicast
address.
To specify the authentication-keyid parameter, see 13.9.4 Configuring

NTP Authentication.
If the port parameter is specified, specify the same port number on the
server using the ntp-service port port-value command.
● Symmetric Peer Mode
NOTE
Only the IP address of the symmetric passive peer on the symmetric active peer
requires specification. Both symmetric peers use this IP address when exchanging NTP
packets.
Either the symmetric active or symmetric passive peer must be in the synchronized
state. They cannot be synchronized without one in synchronized state.
To configure multiple symmetric passive peers, run the ntp-service unicast-peer
command repeatedly. When multiple symmetric passive peers are configured for a
symmetric active peer, the synchronization direction follows the rule that symmetric
peers of higher strata are synchronized with symmetric peers of lower strata.
Configure the symmetric active peer.
a. Run system-view

b. Run
▪ ntp-service unicast-peer ip-address [ version number |

authentication-keyid key-id | source-interface interface-type
interface-number | preference | vpn-instance vpn-instance-name |
maxpoll max-number | minpoll min-number | preempt | port port-
number ]*
The NTP peer with a specified IPv4 address is configured.
▪ ntp-service unicast-peer ipv6 ipv6-address [ authentication-keyid

key-id | source-interface interface-type interface-number |
preference | vpn-instance vpn-instance-name | maxpoll max-
number | minpoll min-number | preempt | port port-number ]*
The NTP peer with a specified IPv6 address is configured.
The value of ip-address or ipv6-address must be a unicast address.

NTP Authentication.
passive peer using the ntp-service port port-value command.
● Broadcast Mode

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
Broadcast mode can be used only on LANs.

The broadcast client can be synchronized with the broadcast server only after the
clock of the broadcast server is synchronized.
Configure the NTP broadcast server.
a. Run system-view

b. Run interface interface-type interface-number
The interface for sending NTP broadcast packets is specified, and the
interface view is displayed.
c. Run ntp-service broadcast-server [ version number | authentication-
keyid key-id | port port-number | subnet-broadcast ] *
The local switch is configured as the NTP broadcast server.

NTP Authentication.
broadcast client using the ntp-service port port-value command.
Configure the NTP broadcast client.
a. Run system-view

The interface for receiving NTP broadcast packets is specified, and the
c. Run ntp-service broadcast-client
The local switch is configured as the NTP broadcast client.

● Multicast Mode
NOTE
The multicast client can synchronize with the multicast server only after the clock of
the multicast server is synchronized. A maximum of 128 multicast servers can be
configured on the device.
A maximum of 1024 multicast clients can be configured, and a maximum of 128
multicast clients can operate simultaneously.
Configure the NTP multicast server.
a. Run system-view

The interface for sending NTP multicast packets is specified, and the

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
c. Run
▪ ntp-service multicast-server [ ip-address ] [ version number |

authentication-keyid key-id | ttl ttl-number | port port-number ] *
The local switch is configured as the NTP multicast server on an IPv4

network.
▪ ntp-service multicast-server ipv6 [ ipv6-address ]

[ authentication-keyid key-id | ttl ttl-number | port port-number ] *
The local switch is configured as the NTP multicast server on an IPv6

network.
NTP Authentication.
multicast client using the ntp-service port port-value command.
Configure the NTP multicast client.
a. Run system-view
The interface for receiving NTP multicast packets is specified, and the
c. Run ntp-service multicast-client [ ip-address | ipv6 [ ipv6-address ] ]
The local switch is configured as the NTP multicast client.
● Manycast Mode
Configure the NTP manycast server.
a. Run system-view
The interface for receiving NTP manycast packets is specified, and the
c. Run ntp-service manycast-server [ ip-address | ipv6 [ ipv6-address ] ]
The local switch is configured as the NTP manycast server.
Configure the NTP manycast client.
a. Run system-view
The interface for sending NTP manycast packets is specified, and the
c. Run ntp-service manycast-client [ ip-address | ipv6 [ ipv6-address ] ]
[ authentication-keyid key-id | ttl ttl-number | port port-number ] *

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
The local switch is configured as the NTP manycast client.

NTP Authentication.
manycast server using the ntp-service port port-value command.
----End
13.5.3 Enabling the NTP Server Function
Context
After NTP-related commands are configured on a device, the device automatically
disables the NTP server function. This prevents external devices from
synchronizing their clocks with the device clock. The device also records the ntp-
service server disable and ntp-service ipv6 server disable commands to its
configuration file. To use the device as an NTP server, enable the NTP server
function on it.
Procedure
Step 2 Run undo ntp-service [ ipv6 ] server disable
The NTP server function is enabled on the device.
By default, the NTP server function is disabled.
----End
13.5.4 Verifying the Basic NTP Function Configuration
Prerequisites
All basic NTP functions have been configured.
Procedure
● Run the display ntp-service status command to view the NTP service status.
● Run the display ntp-service sessions [ verbose ] command to view the NTP
session status.
● Run the display ntp-service trace command to view the path from the local
device to the reference clock source.
● Run the display ntp-service statistics packet [ ipv6 | peer [ ip-address
[ vpn-instance vpn-instance-name ] | ipv6 [ ipv6-address [ vpn-instance
vpn-instance-name ] ] ] ] command to view statistics about NTP packets or
symmetric peers.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
13.6 Configuring the Client Clock
Procedure
Step 2 Run ntp-service { max-sys-poll max-sys-poll-value | spike-offset spike-offset-

value | sync-interval interval } *
The following are configured:
● The maximum polling interval. The default interval is 217s.

● The timestamp difference between packets sent by the clock server and
received by the client. The default difference is 128 ms.
● The interval at which synchronization of the client clock occurs. The default
interval is 600 seconds.
NOTE
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support max-sys-poll max-sys-poll-value and
spike-offset spike-offset-value parameters.
Step 3 Run ntp-service max-distance max-distance-value
The maximum NTP synchronization distance is configured.
By default, The maximum NTP synchronization distance is 1 second.
----End
Verifying the Configuration

● Run the display current-configuration | include ntp command to view NTP
configuration.
13.7 Configuring the Local Source Interface for Sending

and Receiving NTP Packets
Prerequisites
NOTE
If the ntp-service unicast-server or the ntp-service unicast-peer command specifies the

source interface of NTP packets, the specified source interface takes effect.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Procedure
Step 2 Run ntp-service [ ipv6 ] source-interface interface-type interface-number [ vpn-
instance vpn-instance-name ]
The local source interface for sending and receiving NTP packets is configured.
By default, the local source interface for sending NTP packets is not specified. The
source IP address of an NTP packet is selected based on route.
In manycast, broadcast and multicast modes, the NTP service is performed on the
source interface and the ntp-service source-interface command does not take
effect.
If the specified NTP source interface is in Down state, the source IP address of a
sent NTP packet is the primary IP address of the outbound interface.
----End

● Run the display current-configuration | include ntp command to view the
configuration about the local source interface for sending and receiving NTP
packets.
13.8 Limiting the Number of Local Dynamic Sessions
Prerequisites
Context
In both unicast client/server mode and symmetric peer mode, connections are
established using command lines. These connections are static sessions. Dynamic
sessions are established in broadcast mode and multicast mode. Configured limits
on the number of local dynamic sessions are enforced.
NOTE
The ntp-service max-dynamic-sessions command does not affect existing NTP sessions. When
the number of local dynamic NTP sessions exceeds the limit, new sessions cannot be
established.
Procedure
Step 2 Run ntp-service max-dynamic-sessions number

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
The number of local dynamic sessions that can be established is configured.
By default, a maximum of 100 NTP dynamic sessions can be established.
----End

● Run the display current-configuration | include ntp command to view the
number of local dynamic sessions that can be established.
13.9 Configuring NTP Access Control
Prerequisites
Configuration Procedure
The following configuration tasks can be performed in any sequence.
13.9.1 Disabling a Specified Interface from Receiving NTP

Packets
Context
Disable receipt of NTP packets by interfaces connected to external devices in the
following scenarios:
● When an unreliable clock server exists on the interface. By default, after the
NTP function is enabled, all interfaces can receive NTP packets. An unreliable
clock source makes NTP clock data inaccurate.
● When the NTP clock data has been modified by a malicious attack on the
interface.
Procedure
Step 2 Run interface interface-type interface-number
The interface for receiving NTP packets is specified.
Step 3 Run ntp-service [ ipv6 ] in-interface disable
The interface is disabled from receiving NTP packets.
----End

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
13.9.2 Configuring NTP Access Control Authority

Context
NTP access control is a simple but effective security measure. When access
requests reach the local end, matching is attempted sequentially with the access
authority from highest to lowest. The first successful match with an access
authority takes effect. The matching order from highest to lowest and function of
each access authority is as follows:
● Peer
The remote end can send time requests and control queries to the local NTP
service. The local clock can also be synchronized with the clock of the remote
server.
● Server
The remote end can send time requests and control queries to the local end.
The local clock cannot be synchronized with the clock of the remote server.
● Synchronization
The remote end can send time requests to the local end.
● Query
The remote end can send control queries to the local end.
● Limited
When NTP packet rates exceed the upper limit, incoming NTP packets are
discarded.
As described in Table 13-2, the access control authority is configured in different
NTP operating modes for different devices.
Table 13-2 Configuration of the NTP access control authority

NTP Operating Restricted NTP Request Configured Device
Mode Type
Unicast NTP The client cannot Client

client/server synchronize with the
mode server.
Unicast NTP The server cannot process Server

client/server clock synchronization
mode requests sent by the
client.
NTP symmetric Symmetric passive and Symmetric active peer

peer mode symmetric active peers
cannot synchronize with
each other.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NTP Operating Restricted NTP Request Configured Device

Mode Type
NTP symmetric The symmetric passive Symmetric passive peer

peer mode peer cannot process clock
synchronization requests
sent by the symmetric
active peer.
NTP multicast The client cannot NTP multicast client

mode synchronize with the
server.
NTP broadcast The client cannot NTP broadcast client

mode synchronize with the
server.
NTP manycast The client cannot NTP manycast client

client mode synchronize with the
server.
NTP manycast The server cannot process NTP manycast server

server mode clock synchronization
requests sent by the
client.
Procedure
Step 2 Configure the basic ACL.
Before configuring the access control authority, create a basic ACL. For details and
procedures, see ACL Configuration in the S300, S500, S2700, S5700, and S6700
V200R023C00 Configuration Guide - Security.
Step 3 Run ntp-service access { peer | query | server | synchronization | limited } { acl-
number | ipv6 acl6-number } *
The access control authority of the NTP service is configured.
By default, no access control authority is set.
NOTE
Verify that the ACL rule has been configured before beginning configuration of the NTP
access control authority in the ACL. If the ACL rule is permit, the peer device with the
source IP address specified in this rule can access the NTP service on the local device. The
access rights of the peer device are configured using the ntp-service access command.
When the ACL rule is deny, the peer device with the source IP address specified in this rule
cannot access the NTP service on the local device.
Step 4 Run ntp-service discard { min-interval min-interval-val | avg-interval avg-

interval-val } *

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
The minimum inter-packet interval and the average inter-packet interval of NTP
are configured.
By default, the minimum inter-packet interval of NTP is set to the first power of 2
in seconds, namely, 2 seconds, and the average inter-packet interval of NTP is set
to the fifth power of 2 in seconds, namely, 32 seconds.
----End
13.9.3 Configuring KOD
Context
KOD is a modern access control technology implemented in NTPv4. It is used by
the server to provide information to the client. The information provided includes
status reports and access control.
With KOD enabled on the server, the server will send either the DENY or RATE kiss
code to the client, according to the operating status of the system.
● When receiving the kiss code DENY, the client terminates all connections to
the server, and stops sending packets to the server.
● When receiving the kiss code RATE, the client immediately reduces its polling
interval to the server. The client will continue to reduce the interval if
receiving subsequent RATE kiss codes.
NOTE
KOD supports unicast client/server, symmetric peer, and manycast modes.

KOD functions only in NTPv4.
The following configuration is performed on the server.
Procedure
Step 2 Run ntp-service kod-enable
The KOD function is enabled.
By default, the KOD function is disabled.
Step 3 Configure the basic ACL.
Before configuring the access control authority, create a basic ACL. For the
creation procedure, see ACL Configuration in the S300, S500, S2700, S5700, and
S6700 V200R023C00 Configuration Guide - Security.
Step 4 Run ntp-service access limited { acl-number | ipv6 acl6-number } *
Control on the incoming NTP packet rate is enabled.
By default, control on the incoming NTP packet rate is disabled.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
NOTE
Before enabling control on the rate of incoming NTP packets, check the ACL rule
configuration. When the ACL rule is deny, the server sends the kiss code DENY. When the
ACL is permit and the rate of incoming NTP packets reaches the upper threshold, the server
sends the kiss code RATE.
Step 5 Run ntp-service discard { min-interval min-interval-val | avg-interval avg-

interval-val } *
The minimum inter-packet interval and the average inter-packet interval of NTP
are configured.
By default, the minimum inter-packet interval of NTP is set to the first power of 2
in seconds, namely, 2 seconds, and the average inter-packet interval of NTP is set
to the fifth power of 2 in seconds, namely, 32 seconds.
----End
13.9.4 Configuring NTP Authentication

Context
During NTP authentication, the client determines whether authentication packets
pass the verification, no matter whether the server has authentication enabled or
not.
● If the client has authentication enabled and sends authentication information
(that is, the key ID and key) in messages destined for the server:
– If the key ID and key on the server are the same as those sent by the
client, the server sends messages with authentication information to the
client. Authentication succeeds on the client.
– If the key ID and key on the server are different from those sent by the
client, the server sends messages without authentication information to
the client. Authentication fails on the client.
● If the client has authentication enabled and does not send authentication
information in messages destined for the server:
The server sends messages without authentication information to the client.
Authentication succeeds on the client.
● If the client does not have authentication enabled, no matter whether the
messages sent by the server carry authentication information, authentication
succeeds on the client.
In networks demanding higher security, the authentication function can be
enabled when using the NTP protocol. Password authentication of both clients and
servers ensures that a client only synchronizes with an authenticated device,
improving the network security.
NTP authentication follows these rules:
● NTP authentication must be enabled first; otherwise, authentication cannot
be implemented.
● NTP authentication needs to be configured on both the client and the server.
Otherwise, NTP authentication does not take effect.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
● When NTP authentication is enabled, a trusted key is configured on the client.

● Keys configured on the server and the client must be identical.
● Devices attempting to synchronize their clocks must declare their keys as
reliable or NTP authentication will fail.
NOTE
In NTP symmetric peer mode, the symmetric active peer functions as a client and the
symmetric passive peer functions as a server.
Procedure
Step 2 Run ntp-service authentication enable
The NTP authentication function is enabled.
Step 3 Run ntp-service authentication-keyid key-id authentication-mode { md5 |
hmac-sha256 } [ cipher ] password
The NTP authentication key is configured.
Step 4 Run ntp-service reliable authentication-keyid key-id
The reliable key is specified.
----End
Follow-up Procedure
After NTP authentication configuration is complete, apply the NTP authentication
key in Configuring NTP Operating Modes by specifying the authentication-
keyid parameter.
13.9.5 Verifying the NTP Access Control Configuration

Prerequisites
The configuration of NTP access control is completed.
Procedure
● Run the display current-configuration | include ntp command to view NTP
configuration.
● Run the display ntp-service status command to view the NTP service status.
● Run the display ntp-service sessions [ verbose ] command to view the NTP
session status.
----End
13.10 Maintaining NTP

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
13.10.1 Clearing NTP Statistics

Context
NOTE
NTP statistics cannot be recovered after being cleared with the reset ntp-service statistics
packet command. Exercise caution when using this command.
Procedure
● Run the reset ntp-service statistics packet [ ipv6 | peer [ ip-address [ vpn-
instance vpn-instance-name ] | ipv6 [ ipv6-address [ vpn-instance vpn-
instance-name ] ] ] ] command to clear statistics on NTP packets or
symmetric peers.
----End
13.10.2 Monitoring the Running Status of NTP

Context
After NTP configurations are complete, run the following commands in any view
to monitor NTP running status.
Procedure
● Run the display ntp-service statistics packet [ ipv6 | peer [ ip-address
[ vpn-instance vpn-instance-name ] | ipv6 [ ipv6-address [ vpn-instance
vpn-instance-name ] ] ] ] command to view statistics on NTP packets or
symmetric peers.
● Run the display ntp-service status command to view the NTP status.
● Run the display ntp-service sessions [ verbose ] command to view all
session information maintained by the local NTP service.
● Run the display ntp-service trace command to view the path from the local
device to the reference clock source.
● Run the display ntp-service event clock-unsync command to view causes of
the last 10 failed clock synchronizations.
----End
13.11 Configuration Examples for NTP

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
13.11.1 Example for Configuring the NTP Unicast Server/

Client Mode with NTP Authentication Enabled
Networking Requirements
In Figure 13-11, SwitchA, SwitchB, and SwitchC are connected, and SwitchA has
synchronized its clock with GPS.
To ensure accounting accuracy, clock synchronization is required from SwitchB and
SwitchC to SwitchA.
Figure 13-11 Configuring the NTP unicast server/client mode with NTP
authentication enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure SwitchA as the NTP master clock server.
2. Configure the NTP unicast server/client mode to synchronize the clocks of
SwitchA, SwitchB, and SwitchC. Configure SwitchA as the NTP server and
SwitchB and SwitchC as NTP clients.
3. Enable NTP authentication to ensure NTP clock synchronization security.
NOTE
When configuring NTP authentication in the unicast server/client mode, enable NTP
authentication on the client, and specify the NTP server's IP address and the authentication
key sent to the server. Otherwise, NTP authentication is not performed, and the NTP server
and client directly synchronize their clocks.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC and ensure that they
have reachable routes to each other.
# Configure an IP address and a route on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] quit
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] ip route-static 10.1.2.0 24 10.1.1.2

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
# Configure two IP addresses on SwitchB.

[HUAWEI] sysname SwitchB
[SwitchB] vlan 100
[SwitchB-vlan100] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.1.1.2 24
[SwitchB-Vlanif100] quit
[SwitchB] vlan 10
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
# Configure an IP address and a route on SwitchC.

[HUAWEI] sysname SwitchC
[SwitchC] vlan 10
[SwitchC-vlan10] quit
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ip address 10.1.2.2 24
[SwitchC-Vlanif10] quit
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type trunk
[SwitchC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] ip route-static 10.1.1.0 24 10.1.2.1
Step 2 On SwitchA, configure the NTP master clock and enable NTP authentication.
# Configure the local clock of SwitchA as the master clock, and set the clock
stratum to 2.
[SwitchA] ntp-service refclock-master 2
# Enable NTP authentication, configure the authentication key, and declare that
the key is reliable.
[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher Hello123
[SwitchA] ntp-service reliable authentication-keyid 42
# Enable the NTP server function on SwitchA.

[SwitchA] undo ntp-service server disable
Step 3 On SwitchB, enable NTP authentication, configure the authentication key, declare
that the key is reliable, and specify SwitchA as the NTP server.
[SwitchB] ntp-service authentication enable
[SwitchB] ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher Hello123
[SwitchB] ntp-service reliable authentication-keyid 42
[SwitchB] ntp-service unicast-server 10.1.1.1 authentication-keyid 42
Step 4 On SwitchC, enable NTP authentication, configure the authentication key, declare
that the key is reliable, and specify SwitchA as the NTP server.
[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher Hello123

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
[SwitchC] ntp-service reliable authentication-keyid 42

[SwitchC] ntp-service unicast-server 10.1.1.1 authentication-keyid 42
Step 5 Verify the configuration.

# Check the NTP status of SwitchA.
[SwitchA] display ntp-service status
clock status: synchronized
clock stratum: 2
reference clock ID: LOCAL(0)
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^17
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 10.96 ms
peer dispersion: 10.00 ms
reference time: 08:54:40.010 UTC Nov 22 2013(D6399696.029E9079)
synchronization state: clock synchronized
# Check the NTP status of SwitchB. The clock status is synchronized, indicating
that the clock synchronization is complete. The clock stratum is 3, which is one
stratum lower than that of the NTP server SwitchA.
[SwitchB] display ntp-service status
clock stratum: 3
reference clock ID: 10.1.1.1
clock offset: -1.6796 ms
root delay: 2.71 ms
reference time: 08:54:44.160 UTC Nov 22 2013(D6399A54.29247CB7)
# Check the NTP status of SwitchC. The clock status is synchronized, indicating
[SwitchC] display ntp-service status
clock stratum: 3
root delay: 2.71 ms
reference time: 08:57:44.160 UTC Nov 22 2013(D6399E4E.052B2BFD)
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
ntp-service ipv6 server disable

ntp-service authentication enable
ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher %^%#uLLi;!
VFkMLO;SAD#:~GS=:/UzP~}1lS2'KT2,.T%^%#
ntp-service reliable authentication-keyid 42
ntp-service refclock-master 2
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.1.1.0 255.255.255.0 10.1.2.1
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10 100
#
ntp-service server disable
ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher %^
%#cVg6'G;i2*@[$uB@!^}:g$V6+~Hc}V,]M"Y/voeF%^%#
ntp-service unicast-server 10.1.1.1 authentication-keyid 42
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif10
ip address 10.1.2.1 255.255.255.0
#
#
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 10
#
ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher %^%#G;i2;!
ntp-service unicast-server 10.1.1.1 authentication-keyid 42
#
interface Vlanif10
ip address 10.1.2.2 255.255.255.0
#
#
ip route-static 10.1.1.0 255.255.255.0 10.1.2.1

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
#
return
13.11.2 Example for Configuring the NTP Symmetric Peer

Mode
In Figure 13-12, SwitchA, SwitchB, and SwitchC are located within the same LAN.
To facilitate device management, all LAN devices require clock synchronization.
SwitchA has synchronized its clock with GPS through a network. It is required that
SwitchB and SwitchC synchronize their clocks with the clock of SwitchA.
Figure 13-12 Configuring the NTP symmetric peer mode
1. Configure the local clock of SwitchA as the NTP master clock.
2. Configure the NTP unicast server/client mode to synchronize the clocks of
SwitchB and SwitchA. Configure SwitchA as the NTP server and SwitchB as the
NTP client.
3. Configure the NTP symmetric peer mode to synchronize the clocks of SwitchB
and SwitchC. Configure SwitchC as the symmetric active peer that sends a
clock synchronization request to SwitchB.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC.
Configure an IP address for each interface according to Figure 13-12. After the
configuration is complete, SwitchA, SwitchB, and SwitchC can ping each other.
# Configure an IP address for SwitchA. The configurations of SwitchB and SwitchC
are similar to the configuration of SwitchA, and are not mentioned here. For
details, see the configuration files.
[SwitchA] vlan 10

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

[SwitchA-GigabitEthernet0/0/1] port link-type hybrid
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
Step 2 Configure Layer 2 forwarding on the Switch.

[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[Switch-GigabitEthernet0/0/1] quit
Step 3 Configure the NTP server/client mode.

# Configure the local clock of SwitchA as the NTP master clock, and set the clock
stratum to 2.

# On SwitchB, specify SwitchA as its NTP server.

[SwitchB] ntp-service unicast-server 10.0.0.1
# Enable the NTP server function on SwitchB.

[SwitchB] undo ntp-service server disable
After the configuration is complete, SwitchB can synchronize its clock with the
clock of SwitchA.
Check the NTP status of SwitchB. The clock status is synchronized, indicating that
the clock synchronization is complete. The clock stratum is 3, which is one stratum
lower than that of SwitchA.
clock stratum: 3
root delay: 62.50 ms
reference time: 06:52:33.465 UTC Mar 7 2006(C7B7AC31.773E89A8)
synchronization state: clock set

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Step 4 Configure the NTP symmetric peer mode.

# On SwitchC, specify SwitchB as its symmetric passive peer.
[SwitchC] ntp-service unicast-peer 10.0.0.2
# Enable the NTP server function on SwitchC.

[SwitchC] undo ntp-service server disable
Because SwitchC is not configured with a master clock and its clock stratum is
lower than that of SwitchB, SwitchC synchronizes its clock with the clock of
SwitchB.
# Check the clock status of SwitchC. The clock status is synchronized, indicating
that the clock synchronization is complete. The clock stratum of SwitchC is 4,
which is one stratum lower than that of the symmetric passive peer SwitchB.
clock stratum: 4
reference time: 06:55:50.784 UTC Mar 7 2006(C7B7ACF6.C8D002E2)
synchronization state: clock set but frequency not determined
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
#
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
return

#
sysname SwitchB
#
vlan batch 10
#
ntp-service unicast-server 10.0.0.1
#

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
interface Vlanif10
ip address 10.0.0.2 255.255.255.0
#
#
return

#
sysname SwitchC
#
vlan batch 10
#
ntp-service unicast-peer 10.0.0.2
#
interface Vlanif10
ip address 10.0.0.3 255.255.255.0
#
#
return
● Switch configuration file

#
sysname Switch
#
vlan batch 10
#
#
#
#
return
13.11.3 Example for Configuring the NTP Broadcast Mode

with NTP Authentication Enabled
SwitchA synchronizes its clock with GPS through radio.
To ensure accounting accuracy, clock synchronization is required from SwitchB and
SwitchC to SwitchA

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 13-13 Configuring the NTP broadcast mode with NTP authentication
enabled
1. Configure SwitchA as the master clock server, use its local clock as the NTP
master clock, and set the clock stratum to 3.
2. Configure SwitchA as the NTP broadcast server that sends broadcast packets
through VLANIF 10 (the corresponding physical interface is GE0/0/1).
3. Configure SwitchB and SwitchC as NTP broadcast clients.
4. Enable NTP authentication to ensure NTP clock synchronization security.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB, and SwitchC.
# Configure an IP address for SwitchA. The configurations of SwitchB and SwitchC
are similar to the configuration of SwitchA, and are not mentioned here. For
[SwitchA] vlan 10
[SwitchA-GigabitEthernet0/0/1] port link-type hybrid
[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10

[Switch] vlan 10

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Step 3 Configure the NTP broadcast server and enable NTP authentication.
# Configure the local clock of SwitchA as the NTP master clock, and set the clock
stratum to 3.
# Enable NTP authentication.

[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher Hello123
[SwitchA] ntp-service reliable authentication-keyid 16
# Configure SwitchA as the NTP broadcast server that sends NTP broadcast
packets from VLANIF 10, and specify key 16 for encryption.
[SwitchA-Vlanif10] ntp-service broadcast-server authentication-keyid 16

Step 4 Configure SwitchB as an NTP broadcast client, which is on the same network
segment as the NTP server.

[SwitchB] ntp-service authentication enable
[SwitchB] ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher Hello123
[SwitchB] ntp-service reliable authentication-keyid 16
# Configure SwitchB as an NTP broadcast client that listens to NTP broadcast

packets on VLANIF 10.
[SwitchB-Vlanif10] ntp-service broadcast-client
Step 5 Configure SwitchC as an NTP broadcast client, which is on the same network
segment as the NTP server.

[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher Hello123
[SwitchC] ntp-service reliable authentication-keyid 16
# Configure SwitchC as an NTP broadcast client that listens to NTP broadcast

[SwitchC-Vlanif10] ntp-service broadcast-client

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
After the configuration is complete, SwitchB and SwitchC can synchronize their
clocks to the clock of SwitchA.
# Check the NTP status of SwitchC. The clock status is synchronized, indicating
clock stratum: 4
root delay: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2012(C7B7F851.C5EAF25B)
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %^%#uLLi;!
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
ntp-service broadcast-server authentication-keyid 16
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %^
%#cVg6'G;i2*@[$uB@!^}:g$V6+~Hc}V,]M"Y/voeF%^%#
#
interface Vlanif10
ip address 10.0.0.2 255.255.255.0
ntp-service broadcast-client
#

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

#
return

#
sysname SwitchC
#
vlan batch 10
#
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %^%#vLLi;!
#
interface Vlanif10
ip address 10.0.0.3 255.255.255.0
ntp-service broadcast-client
#
#
return

#
sysname Switch
#
vlan batch 10
#
#
#
#
return
13.11.4 Example for Configuring the NTP Multicast Mode

SwitchC synchronizes its clock with GPS through radio.
To ensure accounting accuracy, all switches on the LAN require clock
synchronization with the clock of SwitchC.

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Figure 13-14 Configuring the NTP multicast mode
1. Configure SwitchC as the master clock server, use its local clock as the NTP
master clock, and set the clock stratum to 2.
2. Configure SwitchC as the NTP multicast server that sends multicast packets
through VLANIF 10 (the corresponding physical interface is GE0/0/1).
3. Configure SwitchA and SwitchB as NTP multicast clients. Configure SwitchA to
listen to multicast packets on VLANIF 10 (the corresponding physical interface
is GE0/0/2). Configure SwitchB to listen to multicast packets on VLANIF 10
(the corresponding physical interface is GE0/0/1).
Procedure
Step 1 Configure an IP address for each interface according to Figure 13-14 and ensure
that the switches have reachable routes to each other.
# Configure an IP address on SwitchB. The configurations of SwitchC and SwitchA
are similar to the configuration of SwitchB, and are not mentioned here. For
[HUAWEI] sysname SwitchB
[SwitchB] vlan 10
[SwitchB-GigabitEthernet0/0/1] port link-type hybrid
[SwitchB-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 10

[Switch] vlan 10

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

Step 3 Configure the NTP multicast server.
# Configure the local clock of SwitchC as the NTP master clock, and set the clock
stratum to 2.
[SwitchC] ntp-service refclock-master 2
# Configure SwitchC as the NTP multicast server that sends NTP multicast packets
through VLANIF 10.
[SwitchC-Vlanif10] ntp-service multicast-server
# Enable the NTP server function on SwitchC.

[SwitchC] undo ntp-service server disable
Step 4 Configure SwitchA and SwitchB as NTP multicast clients, which are on the same
network segment as the NTP multicast server.
# Configure SwitchA as an NTP multicast client that listens to NTP multicast

[SwitchA-Vlanif10] ntp-service multicast-client
# Configure SwitchB as an NTP multicast client that listens to NTP multicast

[SwitchB-Vlanif10] ntp-service multicast-client
After the configuration is complete, SwitchA and SwitchB can synchronize their
clocks with the clock of SwitchC.
# Check the NTP status of SwitchC. The clock stratum is 2 and the reference clock
is LOCAL, indicating that the local clock functions as the reference clock.
clock stratum: 2
reference clock ID: LOCAL(0)
root delay: 0.00 ms
reference time: 12:25:19.710 UTC Nov 19 2013(D635D72F.B5F41AEF)

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
# Check the NTP status of SwitchA. The clock status is synchronized, indicating
stratum lower than that of the NTP server SwitchC.
[SwitchA] display ntp-service status
clock stratum: 3
# Check the NTP status of SwitchB. The clock status is synchronized, indicating
stratum lower than that of the NTP server SwitchC.
clock stratum: 3
root delay: 0.00 ms
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
interface Vlanif10
ip address 10.1.3.1 255.255.255.0
ntp-service multicast-client
#
#
return
#
sysname SwitchB
#
vlan batch 10
#

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches

#
interface Vlanif10
ip address 10.1.3.3 255.255.255.0
ntp-service multicast-client
#
#
return

#
sysname SwitchC
#
vlan batch 10
#
#
interface Vlanif10
ip address 10.1.3.2 255.255.255.0
ntp-service multicast-server
#
#
return

#
sysname Switch
#
vlan batch 10
#
#
#
#
return

01-13 NTP Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-13 NTP Configuration

Uploaded by

Copyright:

Available Formats

S300, S500, S2700, S5700, and S6700 Series

13.1 Overview of NTP

13.1 Overview of NTP

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 735

Table 13-1 NTP version evolution

V Date Stand Description

N June RFC NTPv1 encompasses complete NTP rules and algorithms,

N Septem RFC In addition to encompassing complete NTP rules and

N March RFC NTPv3 utilizes correctness rules while improving clock

N June RFC While similar to NTPv3, NTPv4 operates on both IPv4

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 736

13.2 Understanding NTP

13.2.1 NTP Fundamentals

Figure 13-1 NTP implementation

NTP implementation follows these steps:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 737

Comparisons between synchronous Ethernet and other clock

NTP No Yes Millisecond Time signals

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 738

Clock Whether Whether Time Signal

Synchronous Yes No - Clock signals

PTP Yes Yes Sub- Clock and

13.2.2 Network Architecture

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 739

Figure 13-2 NTP architecture

Under typical circumstances within a synchronization subnet, the primary time

The design of NTP architecture ensures that:

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 740

13.2.3 Operating Modes

Unicast Server/Client Mode

Figure 13-3 Unicast client/server mode

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 741

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 742

Figure 13-4 Peer mode

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 743

Figure 13-5 Broadcast mode

● Multicast server: A server running in multicast mode sends clock

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 744

Figure 13-6 Multicast mode

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 745

2. TTL increases until either the minimum number of connections is reached or

In NTP implementation, a peer structure is established for each synchronization source.

Figure 13-7 Manycast mode

13.2.4 NTP Access Control

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 746

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 747

13.3 Application Scenarios for NTP

Typical Application Scenario

Figure 13-8 Typical NTP networking

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 748

Figure 13-9 NTP application in VPN

13.4 Licensing Requirements and Limitations for NTP

Feature Support in V200R023C00

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 749

13.5 Configuring Basic NTP Functions

13.5.1 Configuring an NTP Primary Clock

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 750

Figure 13-10 NTP synchronization subnet

13.5.2 Configuring NTP Operating Modes

Issue 01 (2023-09-30) Copyright © Huawei Technologies Co., Ltd. 751

Operating Usage Scenario Configuration

Unicast Within a synchronization subnet, the Only the client requires

Symmetric Within a synchronization subnet, Only the symmetric

Broadcast In broadcast mode, clock Relevant commands