No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the NTP

Configuring the NTP

Configuring Basic NTP Functions

You can configure basic NTP functions to enable devices on the network to synchronize clocks.

Pre-configuration Tasks

Before the basic NTP functions are configured, complete the following task:

  • Configuring the network layer address and routing protocol of an interface to ensure that NTP packets can reach the destination.

Configuration Procedure

Basic NTP configuration contains the configuration of the NTP primary clock and operating mode.

Configuring an NTP primary clock

Context

A device on the network can synchronize its clock in the following manners.
  • Synchronizing with the local clock: The local clock is used as the reference clock.
  • Synchronizing with another device on the network: This device is used as an NTP clock server to provide a reference clock for the local clock.

If both manners are configured, the device selects an optimal clock source by comparing the clocks determined in the two manners. The clock of a lower stratum is preferred.

An authoritative clock is used as a reference time source for a synchronization subnet, and is located at the top of a hierarchical structure on the synchronization subnet. The authoritative clock is stratum0. The current authoritative clock is mostly a Radio Clock or the Global Positioning System. The time of the authoritative clock is synchronized through the broadcast UTC time code other than NTP.

In actual circumstances, the NTP server synchronized with the authoritative clock is set as stratum1, and is used as a master reference clock source. Other devices on the network synchronize their clocks with the clock of the NTP server, which means the local clock of the NTP server is configured as the NTP primary clock. The NTP distance from a device on the network to the master reference clock source, that is, the number of NTP servers on the NTP synchronization chain, determines the stratum of the clock on the device.

As shown in Figure 3-20, Switch ModuleA is the primary clock, and the clock stratum is 1. The clock synchronization direction is from Switch ModuleA to Switch ModuleB, and further to Switch ModuleC. Only after the Switch ModuleB is synchronized with Switch ModuleA, Switch ModuleC can synchronize its clock with the clock of Switch ModuleB. After all the devices on the synchronization subnet are synchronized, Switch ModuleB and Switch ModuleC are respectively stratum2 and stratum3.
Figure 3-20 NTP synchronization subnet
NOTE:

After the local clock is configured as the reference clock, the local device can be used as the clock source to synchronize other devices on the network. Confirm before this configuration, so as avoid clock errors on the network.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp refclock-master [ ip-address ] [ stratum ]

    The local clock is configured as the NTP primary clock.

    By default, no NTP primary clock is specified.

  3. Run:

    commit

    The configuration is committed.

Configuring NTP Operating Modes

Context

The following NTP operating modes are supported by a device:

Operating Mode

Usage Scenario

Deployment Location and Synchronization Direction

Unicast client/server mode

The unicast client/server mode is used on a higher stratum on a synchronization subnet. In this mode, the IP address of the server needs to be obtained in advance.

You need to configure only the client. The server needs to be configured with only an NTP primary clock.

Note that the client can be synchronized to the server but the server cannot be synchronized to the client.

Symmetric peer mode

The symmetric peer mode is used on a lower stratum on the synchronization subnet. In this mode, a symmetric active peer and a symmetric passive peer can be synchronized with each other. To be specific, a symmetric peer of a higher stratum is synchronized to a symmetric peer of a lower stratum.

You need to configure only the symmetric active peer. The symmetric passive peer does not need to be configured with an NTP command.

In symmetric peer mode, a symmetric peer of a higher stratum is synchronized to a symmetric peer of a lower stratum.

Broadcast mode

When the IP address of a server or a symmetric peer is not determined, or when the clocks of a large number of devices need to be synchronized on a network, clock synchronization can be implemented in the broadcast mode.

Relevant commands need to be run on the server and the client.

Note that the client can be synchronized to the server but the server cannot be synchronized to the client.

Multicast mode

The multicast mode applies to the high-speed network that has multiple workstations and does not require high accuracy. In a typical scenario, one or more clock servers on the network periodically send multicast packets to the workstations. The delay of packet transmission in a LAN is at the milliseconds level.

Relevant commands need to be run on the server and the client.

Note that the client can be synchronized to the server but the server cannot be synchronized to the client.

Manycast mode

The manycast mode applies to the scenario where servers are scattered on a network. The client can discover and synchronize to the closest manycast server. The manycast mode applies to the scenario where the servers are not stable and clients on the entire network need not to be configured again due to a change of the server.

Relevant commands need to be run on the server and the client.

Note that the client can be synchronized to the server but the server cannot be synchronized to the client.

NOTE:

If a source address from which NTP packets are sent is specified on the server, the address must be the same as the server IP address configured on the client. Otherwise, the client cannot process the NTP packets sent by the server, resulting in failed clock synchronization.

Procedure

  • Unicast Client/Server Mode

    NOTE:

    In the unicast client/server mode, you need to configure only the client. The server needs to be configured with only an NTP primary clock.

    Only after the clock on the server is synchronized, the server can function as a clock server to which other devices can be synchronized. When the clock stratum of the server is greater than or equal to the clock stratum of the client, the client is not synchronized to the server.

    You can run the ntp unicast-server command repeatedly to configure multiple servers. The client selects the optimal clock source by selecting a preferred clock.

    Configure the unicast client.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      • ntp unicast-server ip-address [ version number | authentication-keyid key-id | source-interface interface-type interface-number | vpn-instance vpn-instance-name | preferred | port port-number ] *

        An NTP server with a specified IPv4 address is configured.

      • ntp unicast-server ipv6 ipv6-address [ authentication-keyid key-id | source-interface interface-type interface-number | vpn-instance vpn-instance-name | preferred | port port-number ] *

        An NTP server with a specified IPv6 address is configured.

      The value of ip-address or ipv6-address is the IP address of the NTP server. It can be the address of a host instead of being a broadcast address or a multicast address.

      To specify the parameter authentication-keyid, see Configuring NTP Authentication.

      If the port parameter is specified, you must specify the same port number on the server by using the ntp port port-value command.

    3. Run:

      commit

      The configuration is committed.

  • Symmetric Peer Mode

    NOTE:

    Only the IP address of the symmetric passive peer needs to be specified on the symmetric active peer by a user, and both symmetric peers use this IP address to exchange NTP packets.

    One of the symmetric active peer and the symmetric passive peer must be in the synchronized state. Otherwise, they cannot be synchronized.

    You can run the ntp unicast-peer command repeatedly to configure multiple symmetric passive peers. When a symmetric active peer has multiple symmetric passive peers configured, the synchronization direction follows the principle that a symmetric peer of a larger stratum is synchronized with a symmetric peer of a smaller stratum.

    Configure the symmetric active peer.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      • ntp unicast-peer ip-address [ version number | authentication-keyid key-id | source-interface interface-type interface-number | vpn-instance vpn-instance-name | preferred | port port-number ] *

        The NTP peer with a specified IPv4 address is configured.

      • ntp unicast-peer ipv6 ipv6-address [ authentication-keyid key-id | source-interface interface-type interface-number | vpn-instance vpn-instance-name | preferred | port port-number ] *

        The NTP peer with a specified IPv6 address is configured.

      The values of ip-address or ipv6-address must be unicast addresses, and cannot be broadcast addresses or multicast addresses.

      To specify the parameter authentication-keyid, see Configuring NTP Authentication.

      If the port parameter is specified, you must specify the same port number on the server by using the ntp port port-value command.

    3. Run:

      commit

      The configuration is committed.

  • Broadcast Mode

    NOTE:

    The broadcast mode can be used only on a local area network (LAN).

    Only after the clock of the broadcast server is synchronized, the broadcast client can be synchronized with the broadcast server.

    Configure the NTP broadcast server.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface  interface-type interface-number

      The interface for sending NTP broadcast packets is specified, and the interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      ntp broadcast-server [ version number | authentication-keyid key-id | port port-number ] *

      The local switch modules is configured as the NTP broadcast server.

      To specify the parameter authentication-keyid, see Configuring NTP Authentication.

      If the port parameter is specified, you must specify the same port number on the server by using the ntp port port-value command.

    5. Run:

      commit

      The configuration is committed.

    Configure the NTP broadcast client.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface  interface-type interface-number

      The interface for receiving NTP broadcast packets is specified, and the interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      ntp broadcast-client

      The local switch modules is configured as the NTP broadcast client.

    5. Run:

      commit

      The configuration is committed.

  • Multicast Mode

    NOTE:

    Only after the clock of the multicast server is synchronized, the multicast client can be synchronized with the multicast server.

    Currently a maximum of 1024 multicast clients can be configured, but a maximum of 128 multicast clients can work simultaneously.

    Configure the NTP multicast server.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface  interface-type interface-number

      The interface for sending NTP multicast packets is specified, and the interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      • ntp multicast-server [ ip-address ] [ version number | authentication-keyid key-id | ttl ttl-number | port port-number ] *

        The local switch modules is configured as the NTP multicast server on an IPv4 network.

      • ntp multicast-server [ ipv6 [ ipv6-address ] ] [ authentication-keyid key-id | ttl ttl-number | port port-number ] *

        The local switch modules is configured as the NTP multicast server on an IPv6 network.

      To specify the parameter authentication-keyid, see Configuring NTP Authentication.

      If the port parameter is specified, you must specify the same port number on the server by using the ntp port port-value command.

    5. Run:

      commit

      The configuration is committed.

    Configure the NTP multicast client.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface  interface-type interface-number

      The interface for receiving NTP multicast packets is specified, and the interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      ntp multicast-client [ ip-address | ipv6 [ ipv6-address  ] ]

      The local switch modules is configured as the NTP multicast client.

    5. Run:

      commit

      The configuration is committed.

  • Manycast Mode

    Configure the NTP manycast server.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface  interface-type interface-number

      The interface for receiving NTP manycast packets is specified, and the interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      ntp manycast-server [ ip-address | ipv6 [ ipv6-address ] ]

      The local switch modules is configured as the NTP manycast server.

    5. Run:

      commit

      The configuration is committed.

    Configure the NTP manycast client.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface  interface-type interface-number

      The interface for sending NTP manycast packets is specified, and the interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      ntp manycast-client [ ip-address | ipv6 [ ipv6-address ] ] [ authentication-keyid key-id | ttl ttl-number | port port-number ] *

      The local switch modules is configured as the NTP manycast client.

      To specify the parameter authentication-keyid, see Configuring NTP Authentication.

      If the port parameter is specified, you must specify the same port number on the manycast server by using the ntp port port-value command.

    5. Run:

      commit

      The configuration is committed.

Checking the Configuration

Prerequisites

All configurations of basic NTP functions are completed.

Procedure

  • Run the display ntp status command to check the NTP service status.
  • Run the display ntp sessions [ verbose ] command to check the NTP session status.
  • Run the display ntp trace command to check the path of reference clock source from the local device.
  • Run the display ntp statistics packet [ [ ipv6 ] interface { interface-type interface-number | all } | peer [ [ ip-address [ vpn-instance vpn-instance-name ] ] | ipv6 [ ipv6-address [ vpn-instance vpn-instance-name ] ] ] ] command to check the statistical information about NTP packets or symmetric peers.
  • Run the display ntp slot-status command to check the state of the clock system on the device.

Configuring the Client Clock

When the server clock changes, the client clock must be synchronized If the server clock is unstable.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp sync-interval interval

    The interval for updating the client clock is configured.

    By default, the interval for updating the client clock is 600 seconds.

Checking the Configuration
  • Run the display current-configuration | include ntp command to check configuration of NTP.

Configuring the Local Source Interface for Sending and Receiving NTP Packets

You can configure a local source interface for sending and receiving NTP packets to prevent the IP addresses of other interfaces on the device becoming the destination address of a reply packet. This facilitates deployment of traffic control policies.

Prerequisites

All configurations of basic NTP functions have been completed.

NOTE:

If the ntp unicast-server or the ntp unicast-peer command specifies the source interface of NTP packets, the specified source interface takes effect.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp [ ipv6 ] source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]

    The local source interface for sending and receiving NTP packets is configured.

    By default, the local source interface for sending NTP packets is not specified. The source IP address of an NTP packet is selected according to the route.

    In broadcast, manycast and multicast modes, the NTP service is performed on the source interface and the ntp [ ipv6 ] source-interface command does not take effect.

    If the specified NTP source interface is in Down state, the source IP address of a sent NTP packet is the primary IP address of the packet's outbound interface.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration
  • Run the display current-configuration | include ntp command to check the configuration about the local source interface for sending and receiving NTP packets.

Limit on the Number of Local Dynamic Sessions

Excess dynamic sessions limit the number of static sessions. To address this problem, you can limit the number of dynamic sessions on the device.

Prerequisites

All configurations of basic NTP functions have been completed.

Context

In both unicast client/server mode and symmetric peer mode, command lines are used to establish a connection, which is a static session. Dynamic sessions are established in broadcast mode, manycast mode and multicast mode, so that the limit on the number of local dynamic sessions takes effect.

NOTE:

The ntp max-dynamic-sessions command runs without affecting the existing NTP sessions. When the number of local dynamic NTP sessions exceeds the maximum number, a new session cannot be established.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp max-dynamic-sessions number

    The number of local dynamic sessions that can be established is configured.

    By default, a maximum of 100 NTP dynamic sessions can be established.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration
  • Run the display current-configuration | include ntp command to check the number of local dynamic sessions that can be established.

Configuring NTP Access Control

On networks requiring high security, you can use NTP security functions to prevent malicious attacks from modifying NTP packets.

Prerequisites

All configurations of basic NTP functions have been completed.

Configuration Order

You can perform the following configuration tasks in any sequence as required.

Disabling a Specified Interface from Receiving NTP Packets

Context

You can disable the interface connected to external devices from receiving NTP packets in the following scenarios:
  • An unreliable clock server exists on the interface. After the NTP functions are enabled, all interfaces can receive NTP packets by default. However, an unreliable clock source makes NTP clock data inaccurate.
  • The NTP clock data are modified when the interface is attacked maliciously.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface  interface-type interface-number

    The interface for receiving NTP packets is specified.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:

    ntp [ ipv6 ] receive disable

    The interface is disabled from receiving NTP packets.

  5. Run:

    commit

    The configuration is committed.

Disabling the NTP Service Function

Context

You can disable NTP services to prevent the device from being synchronized with the clock of an external server or a symmetric peer, or when the device does not need to provide a clock reference source for external clients.
NOTE:

The existing configuration is not deleted when the NTP service function is disabled.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp-service [ ipv6 ] server disable

    NTP server functionality is disabled on the device.

    By default, NTP server are enabled.

Configuring NTP Access Control Authority

Context

NTP access control is a simple security measure. When an access request reaches the local end, the access request is successively matched with the access authority from the maximum one to the minimum one. The first successfully matched access authority takes effect. The matching order is: peer, server, synchronization, query and limited.
  • peer: The remote end can perform time requests and control queries for the local NTP service. The local clock can also be synchronized with the clock of the remote server.

  • server: indicates that the remote end can send a time request and a control query to the local end. The local clock, however, cannot be synchronized with the clock of the remote server.

  • synchronization: indicates that the remote end can perform only the time request to the local end.

  • query: The remote end can only perform the control query to the local end.

  • limited: When the rate of NTP packets exceeds the upper limit, the incoming NTP packets are discarded.

The access control authority is configured on different devices in different NTP operating modes, as described in Table 3-14.

Table 3-14 Configuration of the NTP access control authority

NTP Operating Mode

Restricted NTP Request Type

Configured Device

Unicast NTP client/server mode

The client is restricted from synchronizing to the server.

Client

Unicast NTP client/server mode

The server is restricted from processing the clock synchronization request sent by the client.

Server

NTP symmetric peer mode

A symmetric passive peer and a symmetric active peer are restricted from synchronizing with each other.

Symmetric active peer

NTP symmetric peer mode

The symmetric passive peer is restricted from processing the clock request sent by the symmetric active peer.

Symmetric passive peer

NTP multicast mode

The client is restricted from synchronizing to the server.

NTP multicast client

NTP broadcast mode

The client is restricted from synchronizing to the server.

NTP broadcast client

NTP manycast client mode

The client is restricted from synchronizing to the server.

NTP manycast client

NTP manycast server mode

The server is restricted from processing the clock synchronization request sent by the client.

NTP manycast server

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure the basic ACL.

    Before configuring the access control rights, you must create a basic ACL. For the creation procedure, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide-Security.

  3. Run:

    ntp access { peer | query | server | synchronization | limited } { { acl-number | acl-name acl-name } | ipv6 { acl6-number | acl6-name acl6-name } }*

    The access control authority of the NTP service is configured.

    By default, no access control authority is set.

    NOTE:

    Check the configuration of the ACL rule before configuring the NTP access control authority in the ACL. When the ACL rule is permit, the peer device with the source IP address specified in this rule can access the NTP service on the local device. The access right of the peer device is configured using the ntp access command. When the ACL rule is deny, the peer device with the source IP address specified in this rule cannot access the NTP service on the local device.

  4. Run:

    ntp discard { min-interval min-interval-val | avg-interval avg-interval-val } * 

    The minimum inter-packet interval and the average inter-packet interval of NTP are configured.

    By default, the minimum inter-packet interval of NTP is set to the first power of 2 in seconds, namely, 2 seconds, and the average inter-packet interval of NTP is set to the fifth power of 2 in seconds, namely, 32 seconds.

  5. Run:

    commit

    The configuration is committed.

Configuring KOD

Context

The Kiss-o'-Death (KOD) is a brand new access control technology put forward by NTPv4, and the KOD is mainly used for a server to provide information, such as a status report and access control, for a client.

After the KOD is enabled on the server, the server sends the kiss code DENY or the kiss code RATE to the client according to the operating status of the system.

  • When receiving the kiss code DENY, the client terminates all connections with the server, and stops sending packets to the server.
  • When receiving the kiss code RATE, the client immediately shortens a poll interval with the server. Every time the kiss code RATE is received after the first shortening operation, the poll interval is further shortened.
NOTE:

The KOD supports the unicast client/server mode, and symmetric peer mode.

The KOD only functions in NTPv4.

The following configuration is performed on the server.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp kod-enable

    The KOD function is enabled.

    By default, the KOD function is disabled.

  3. Configure the basic ACL.

    Before configuring the access control rights, you must create a basic ACL. For the creation procedure, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide-Security.

  4. Run:

    ntp access limited { { acl-number | acl-name acl-name } | ipv6 { acl6-number | acl6-name acl6-name } }*

    Control on the rate of incoming NTP packets is enabled.

    By default, control on the rate of incoming NTP packets is disabled.

    NOTE:

    Before enabling control on the rate of incoming NTP packets, check the ACL rule configuration. When the ACL rule is deny, the server sends the kiss code DENY. When the ACL is permit and the rate of incoming NTP packets reaches the upper threshold, the server sends the kiss code RATE.

  5. Run:

    ntp discard { min-interval min-interval-val | avg-interval avg-interval-val } * 

    The minimum inter-packet interval and the average inter-packet interval of NTP are configured.

    By default, the minimum inter-packet interval of NTP is set to the first power of 2 in seconds, namely, 2 seconds, and the average inter-packet interval of NTP is set to the fifth power of 2 in seconds, namely, 32 seconds.

  6. Run:

    commit

    The configuration is committed.

Configuring NTP Authentication

Context

In some networks demanding high security, the authentication function needs to be enabled when you use the NTP protocol. Password authentication of a client and a server ensures that the client only synchronizes with a device that has been authenticated, improving the network security.

When configuring the NTP authentication function, note the following rules:

  • The NTP authentication function must be enabled first; otherwise, authentication cannot be implemented.

  • The NTP authentication function needs to be configured on both the client and the server. Otherwise, the NTP authentication function does not take effect.

  • If the NTP authentication function is enabled, a trusted key is configured on the client.

  • Keys configured on the server and the client must be identical.

  • The device that wants to synchronize its clock should declare its key as reliable.Otherwise, NTP authentication will fail.

NOTE:

In NTP symmetric peer mode, the symmetric active peer functions as a client and the symmetric passive peer functions as a server.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp authentication enable

    The NTP authentication function is enabled.

  3. Run:

    ntp authentication-keyid key-id authentication-mode { md5 | hmac-sha256 } { plain password-plain | [ cipher ] password }

    The NTP authentication key is configured.

  4. Run:

    ntp trusted authentication-keyid key-id

    The reliable key is specified.

  5. Run:

    commit

    The configuration is committed.

Follow-up Procedure

After the configuration of the NTP authentication is completed, apply the NTP authentication key in Configuring NTP Operating Modes. That is, specify the parameter authentication-keyid.

Checking the Configuration

Prerequisites

The configuration of NTP access control is completed.

Procedure

  • Run the display current-configuration | include ntp command to check the NTP configuration.
  • Run the display ntp status command to check the NTP service status.
  • Run the display ntp sessions [ verbose ] command to check the NTP session status.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59721

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next