No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NTP Configuration Commands

NTP Configuration Commands

display ntp-service sessions

Function

The display ntp-service sessions command displays all session information maintained by NTP on the local end.

Format

display ntp-service sessions [ verbose ]

Parameters

Parameter Description Value
verbose

Displays detailed information about an NTP session.

If verbose is not specified, only summary information about the NTP session is displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Run the display ntp-service sessions command. If the verbose option is not specified, only summary information about a session is displayed.

Example

# Display NTP session information of the local device.

<Huawei> display ntp-service sessions
 clock source: 127.127.1.0                                                      
 clock stratum: 1                                                               
 clock status:configured, master, sane, valid                                   
 reference clock ID: LOCAL(0)                                                   
 reach: 377                                                                     
 poll: 64                                                                       
 now: 2                                                                         
 offset: 0.0000 ms                                                              
 delay: 0.00 ms                                                                 
 disper: 0.94 ms    
Table 3-37  Description of the display ntp-service sessions command output

Item

Description

clock source

Address of the clock source.

clock stratum

Stratum of the clock source.

The clock stratum determines the precision of the clock, and its value ranges from 1 to 16. The higher the stratum value, the lower the clock precision. The value 1 indicates the highest precision, and the value 16 indicates the lowest precision. The clock with stratum16 is in the unsynchronized status, and cannot be used as a reference clock.

clock status

Status of a clock, where
  • configured: indicates that the session is set up by a configuration command.
  • master: indicates that the clock source corresponding to the session is the primary clock source of the current system.
  • selected: indicates that the clock source corresponding to the session passes the clock selecting algorithm.
  • candidate: indicates that the clock source corresponding to the session is a candidate clock source.
  • sane: indicates that the clock source corresponding to the session passes the saneness test.
  • insane: indicates that the clock source corresponding to the session does not pass the saneness test.
  • valid: indicates that the clock source corresponding to the session is valid. The clock source corresponding to the session passes the test, is in a synchronized status and is of an effective stratum. The root delay and the root dispersion are within the normal range.
  • invalid: indicates that the clock source corresponding to the session is invalid.
  • unsynced: indicates that the clock source corresponding to the session is not yet synchronized or the stratum is invalid.

reference clock ID

When the local system has been synchronized to a remote NTP server or a clock source, the address of the remote server or the identifier of the clock source is displayed.

reach

Reachability count of the clock source. The value 0 indicates that the clock source is unreachable.

poll

Poll interval of NTP packets. The interval for sending two successive NTP packets, in seconds.

now

Interval between the last synchronization and the current time.

offset

Offset to the superior clock source.

delay

Delay to the superior clock source.

disper

Dispersion to the superior clock source.

# Display detailed information about NTP sessions on the local device.

<Huawei> display ntp-service sessions verbose
 clock source: 127.127.1.0                                                      
 clock stratum: 1                                                               
 clock status:configured, master, sane, valid                                   
 reference clock ID: LOCAL(0)                                                   
 local mode: client, local poll: 6                                              
 peer mode: server, peer poll: 6                                                
 offset: 0.0000 ms,delay: 0.00 ms,  disper: 0.88 ms                             
 root delay: 0.00 ms, root disper: 10.00 ms                                     
 reach: 37, sync dist: 0.011, sync state: 3                                     
 precision: 2^18, version: 3, peer interface: InLoopBack0                       
 reftime: 16:46:51.054 UTC Jul 28 2012(D3BE95FB.0DFB3FA6)                       
 orgtime: 16:46:51.054 UTC Jul 28 2012(D3BE95FB.0DFB3FA6)                       
 rcvtime: 16:46:51.054 UTC Jul 28 2012(D3BE95FB.0DFBF833)                       
 xmttime: 16:46:51.054 UTC Jul 28 2012(D3BE95FB.0DFADAFD)                       
 filter delay :  0.00   0.00   0.00   0.00   0.00   0.00   0.00   0.00          
 filter offset:  0.00   0.00   0.00   0.00   0.00   0.00   0.00   0.00          
 filter disper:  0.00   0.00   0.00   0.00   0.00   0.00   0.00   0.00          
 reference clock status: working abnormally  
 timecode:    
Table 3-38  Description of the display ntp-service sessions verbose command output

Item

Description

clock source

Address of the clock source.

clock stratum

NTP stratum on which the local system is located.

clock status

Status of a clock, where
  • configured: indicates that the session is set up by a configuration command.
  • master: indicates that the clock source corresponding to the session is the primary clock source of the current system.
  • selected: indicates that the clock source corresponding to the session passes the clock selecting algorithm.
  • candidate: indicates that the clock source corresponding to the session is a candidate clock source.
  • sane: indicates that the clock source corresponding to the session passes the saneness test.
  • insane: indicates that the clock source corresponding to the session does not pass the saneness test.
  • valid: indicates that the clock source corresponding to the session is valid. The clock source corresponding to the session passes the test, is in a synchronized status and is of an effective stratum. The root delay and the root dispersion are within the normal range.
  • invalid: indicates that the clock source corresponding to the session is invalid.
  • unsynced: indicates that the clock source corresponding to the session is not yet synchronized or the stratum is invalid.

reference clock ID

When the local system has been synchronized to a remote NTP server or a clock source, the address of the remote server or the identifier of the clock source is displayed. When the server is located on a certain VPN, the name of the VPN instance is displayed.

local mode

Local system mode.

peer mode

Peer system mode.

local poll

Local polling mode.

peer poll

Peer polling mode.

offset

Offset to the superior clock source.

delay

Delay to the superior clock source.

disper

Dispersion to the superior clock source.

root delay

Total system delay between the local end and the master reference clock. The default value is 0.

root disper

System dispersion of the local end to the master reference clock. The default value is 0.

reach

Reachability mark, indicating the reachability to the clock source.

sync dist

Synchronization distance to the superior clock source. This parameter evaluates and describes the clock source, and NTP chooses the clock source with the shortest synchronization distance.

sync state

Synchronization state:
  • 0: The clock has never been synchronized.

  • 1: Frequency information is obtained from configuration information.

  • 2: The clock is set.

  • 3: The clock is set, but the frequency is not yet determined.

  • 4: The clock is synchronized.

  • 5: An error is found.

precision

Precision of a peer clock.

version

NTP version.

peer interface

Peer interface.

reftime

Reference timestamp.

orgtime

Time when an NTP packet is sent for the last time.

rcvtime

Time when an NTP packet is received for the last time.

xmttime

Time when an NTP packet is forwarded for the last time.

filter delay

Filter delays of the 8 packets received for the last time.

filter offset

Filter offsets of the 8 packets received for the last time.

filter disper

Filter dispersions of the 8 packets received for the last time.

reference clock status

The status of the reference clock, including:
  • working normally: normal status.
  • working abnormally: abnormal status.

timecode

Indicates the time code.

display ntp-service status

Function

The display ntp-service status command displays the status of NTP.

Format

display ntp-service status

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Based on the displayed status of the NTP service, you can know the synchronization status and stratum of the local system clock.

Example

# Display the status of the NTP service.

<Huawei> display ntp-service status
clock status: synchronized
clock stratum: 2
reference clock ID: LOCAL(0)
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.00 ms
peer dispersion: 10.00 ms
reference time: 15:51:36.259 UTC Apr 25 2012(C6179088.426490A3)
Table 3-39  Description of the display ntp-service status command output

Item

Description

clock status

Status of the clock:
  • synchronized: indicates that the local system clock is synchronized with an NTP server or a reference clock.

  • unsynchronized: indicates that the local system clock is not synchronized with any NTP server.

clock stratum

Stratum of the local system clock.

reference clock ID

Reference clock:
  • If the local system clock has been synchronized with a remote NTP server or a reference clock, this field displays the IP address of the remote NTP server or the identifier of the reference clock.

  • If the local system clock functions as a reference clock, this field displays "Local".

  • If clock status is unsynchronized, this field displays "None".

nominal frequency

Nominal frequency of the local system clock.

actual frequency

Actual frequency of the local system clock.

clock precision

Precision of the local system clock.

clock offset

Offset between the local system clock and the NTP server.

root delay

Total delay between the local system clock and the master reference clock.

root dispersion

Total dispersion between the local system clock and the master reference clock.

peer dispersion

Dispersion between the local system clock and the remote NTP peer.

reference time

Reference timestamp.

display ntp-service trace

Function

The display ntp-service trace command displays the system to trace the path of reference clock source from the local device.

Format

display ntp-service trace

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When you run the display ntp-service trace command, summary information of NTP servers for synchronizing time on the link from the local device to the reference clock source can be displayed.

NOTE:

The display ntp-service trace command does not support an IPv6 clock source.

Example

# Display the summary of each passing NTP server when you trace the reference clock source from the local device.

<Huawei> display ntp-service trace
server 127.0.0.1,stratum 5, offset 0.024099, synch distance 0.06337
server 171.1.1.2,stratum 4, offset 0.028786, synch distance 0.04575
server 201.1.1.2,stratum 3, offset 0.035199, synch distance 0.03075
server 200.1.7.1,stratum 2, offset 0.039855, synch distance 0.01096
refid 127.127.1.0
Table 3-40  Description of the display ntp-service trace command output

Item

Description

server

IP address of the NTP server.

stratum

Stratum of the clock on the NTP server.

offset

Offset to the superior reference clock.

synch distance

Synchronization distance to the superior reference clock.

This parameter evaluates and describes the reference clock and NTP chooses the reference clock with the shortest synchronization distance.

refid

Reference clock source.

ntp-service access

Function

The ntp-service access command sets the access control authority of the local NTP.

The undo ntp-service access command cancels the configured access control authority.

By default, no access control authority is set.

Format

ntp-service access { peer | query | server | synchronization | limited } { acl-number | ipv6 acl6-number } *

undo ntp-service access { peer | query | server | synchronization | limited } [ ipv6 | all ]

undo ntp-service access { peer | query | server | synchronization | limited } [ acl-number | ipv6 acl6-number ] *

Parameters

Parameter Description Value
peer Indicates maximum access authority. Both time request and control query can be performed on the local NTP service, and the local clock can be synchronized to the remote server. -
query Indicates minimum access. Only control query can be performed on the local NTP service. -
server Indicates that server access and query are permitted. Both time request and control query can be performed on the local NTP service, but the local clock cannot be synchronized to the remote server. -
synchronization Indicates that only server access is permitted. Only time request can be performed on the local NTP service. -
limited When the rate of NTP packets exceeds the upper limit, the incoming NTP packets are discarded, and a Kiss code is sent if the KOD function is enabled. -
acl-number Indicates the number of a basic ACL with IPv4 address specified. The value is an integer that ranges from 2000 to 2999.
ipv6 acl6-number Indicates the number of an ACL with IPv6 address specified. The value is an integer that ranges from 2000 to 2999.
all Indicates all access control authority. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Compared with NTP authentication, ntp-service access is simpler to ensure the network security. When an access request reaches the local end, the access request is successively matched with the access authority from the highest one to the lowest one. The first successfully matched access authority takes effect. The matching order is: peer, server, synchronization, query and limited.

Depending on the access authority to be limited, run the command on different devices accordingly. For details, see the following table.

Table 3-41  Configuration of the NTP access control authority

NTP Operating Mode

Usage Scenario

Device Configured

Unicast NTP server/client mode

The client is restricted from being synchronized to a server, so that the client will not be synchronized to an unreliable unicast NTP server on the network.

Client

Unicast NTP server/client mode

The server is restricted from processing the synchronization time request of the client, so that the synchronization range of the server is controlled.

Server

NTP symmetric peer mode

The two ends are restricted from being synchronized with each other to prevent an unreliable symmetric passive peer on the network from synchronizing the client.

Symmetric active peer

NTP symmetric peer mode

The symmetric passive peer is restricted from processing the time request, so that the synchronization range of the symmetric passive peer is controlled.

Symmetric passive peer

NTP multicast mode

The client is restricted from synchronizing to the server to prevent an unreliable multicast NTP server from synchronizing the client.

NTP multicast client

NTP broadcast mode

The client is restricted from being synchronized to a server, so that the client will not be synchronized to an unreliable broadcast NTP server on the network.

NTP broadcast client

NTP manycast client mode

The client is restricted from being synchronized to a server.

NTP manycast client

NTP manycast server mode

The server is restricted from processing the clock synchronization request sent by the client.

NTP manycast server

The ntp-service access command ensures the security to the minimal extent. A safer method is to perform identity authentication. See the ntp-service authentication enable command for relevant configuration.

Precautions

Check the configuration of the ACL rule before configuring the NTP access control authority in the ACL. When the ACL rule is permit, the peer device with the source IP address specified in this rule can access the NTP service on the local device. The access right of the peer device is configured using the ntp-service access command. When the ACL rule is deny, the peer device with the source IP address specified in this rule cannot access the NTP service on the local device.

Example

# Enable the peer matching ACL 2000 to perform time request, query control and time synchronization on the local device.

<Huawei> system-view
[Huawei] ntp-service access peer 2000

# Enable the server matching ACL 2002 to perform time request and query control on the local device.

<Huawei> system-view
[Huawei] ntp-service access server 2002

ntp-service authentication complexity-check disable

Function

The ntp-service authentication complexity-check disable command disables NTP authentication key complexity check.

The undo ntp-service authentication complexity-check disable command enables NTP authentication key complexity check.

By default, NTP authentication key complexity check is enabled.

Format

ntp-service authentication complexity-check disable

undo ntp-service authentication complexity-check disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

An NTP authentication key must meet the following requirements:
  • The value is a string of 6-255 (plain text) or 20-392 (cipher text) case-sensitive characters without spaces.
  • The community name must be a combination of at least two of the following: uppercase letters, lowercase letters, digits, and special characters.
  • If a key contains spaces, the key must be included in double quotation marks. A key can only have a pair of double quotation marks.

By default, the device performs complexity check on NTP authentication keys. If the check fails, the passwords cannot be configured. If you do not require this function, disable it. However, disabling this function has security risks.

The versions earlier than V200R006C10 do not support NTP authentication key complexity check. When a device running V200R006C10 or a later version connects to a device running an earlier version, run the ntp-service authentication complexity-check disable command to disable NTP authentication key complexity check on the device running V200R006C10 or a later version. If this command is not executed, clock synchronization will fail when the NTP authentication key cannot pass complexity check.

Example

# Disable NTP authentication key complexity check.

<Huawei> system-view
[Huawei] ntp-service authentication complexity-check disable

ntp-service authentication enable

Function

The ntp-service authentication enable command enables identity authentication for NTP.

The undo ntp-service authentication enable command disables the identity authentication.

By default, identity authentication is disabled.

Format

ntp-service authentication enable

undo ntp-service authentication enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

On networks requiring high security, authentication must be enabled for NTP. The NTP client authenticates NTP servers using a password and synchronizes time with only the authenticated server. This improves network security.

Example

# Enable identity authentication for NTP.

<Huawei> system-view
[Huawei] ntp-service authentication enable

ntp-service authentication-keyid

Function

The ntp-service authentication-keyid command sets NTP authentication key.

The undo ntp-service authentication-keyid command removes NTP authentication key.

By default, no authentication key is set.

Format

ntp-service authentication-keyid key-id authentication-mode { md5 | hmac-sha256 } [ cipher ] password

undo ntp-service authentication-keyid key-id

Parameters

Parameter Description Value
key-id Indicates the key number. Key ID is an integer and ranges from 1 to 4294967295.
authentication-mode md5 Indicates MD5 authentication mode. -
authentication-mode hmac-sha256 Indicates HMAC-SHA256 authentication mode. -
cipher

Indicates that the configured password is displayed in cipher text.

-
password

Specifies the authentication password in plain text or in cipher text.

When quotation marks are used around the string, spaces are allowed in the string.

The keyword is a string of case sensitive characters without spaces.The string length range is:
  • 1 to 255 characters in plain text.
  • 20 to 392 characters in cipher text.
NOTE:

To improve password security, the password must be a combination of at least two of the following: digits, lowercase letters a to z, uppercase letters A to Z, and special characters, and the password length must be equal to or larger than 6.

If a password contains a space, the password must be placed into a pair of double quotation marks. Only one pair of double quotation marks can be used for each password.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On a network that requires high security, the NTP authentication must be enabled. You can configure password authentication between client and server, which guarantee the client only to synchronize with server successfully authenticated, and improve network security. If the NTP authentication function is enabled, a reliable key should be configured at the same time. Keys configured on the client and the server must be identical.

NOTE:

In NTP symmetric peer mode, the symmetric active peer functions as a client and the symmetric passive peer functions as a server.

Follow-up Procedure

You can configure multiple keys for each device. After the NTP authentication key is configured, you need to set the key to reliable using the ntp-service reliable authentication-keyid command. If you do not set the key to reliable, the NTP key does not take effect.

Precautions

Note that MD5 encryption algorithm cannot ensure security. HMAC-SHA256 encryption algorithm is recommended.

You can configure a maximum of 1024 keys for each device.

If the NTP authentication key is a reliable key, it automatically becomes unreliable when you delete the key. You do not need to run the undo ntp-service reliable authentication-keyid command.

Example

# Set the HMAC-SHA256 identity authentication key. The key ID number is 10, and the key is Betterkey.

<Huawei> system-view
[Huawei] ntp-service authentication-keyid 10 authentication-mode hmac-sha256 BetterKey

ntp-service broadcast-client

Function

The ntp-service broadcast-client command configures the device to work in NTP broadcast client mode.

The undo ntp-service broadcast-client command removes the device from the NTP broadcast client mode.

By default, the device is not configured in the NTP broadcast client mode.

Format

ntp-service broadcast-client

undo ntp-service broadcast-client

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

On a synchronization subnet, when the IP address of a server or a symmetric peer is not determined, or when the clocks on a large number of devices need to be synchronized on the network, you can implement clock synchronization by configuring the broadcast mode.

On a specified interface on the broadcast client, run the ntp-service broadcast-client command to configure an interface on the local device to receive NTP broadcast packets. When the local device automatically runs in the broadcast client mode, the device can receive the synchronization packets sent by a broadcast server. For the configuration of the broadcast server, see the ntp-service broadcast-server command.

When the configuration is complete, you can run the display ntp-service sessions command to obtain information about sessions between the broadcast server and the local device.

Example

# Enable GE0/0/1 to receive NTP broadcast messages.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[Huawei-GigabitEthernet0/0/1] ntp-service broadcast-client

ntp-service broadcast-server

Function

The ntp-service broadcast-server command configures the local device to work in NTP broadcast server mode.

The undo ntp-service broadcast-server command removes the device from the NTP broadcast server mode.

By default, the broadcast server mode is not configured.

Format

ntp-service broadcast-server [ version number | authentication-keyid key-id ] *

undo ntp-service broadcast-server

Parameters

Parameter Description Value
version number Indicates the NTP version number.

If this parameter is not specified, the version number is a default value.

The value is an integer that ranges from 1 to 4. The default value is 3.
authentication-keyid key-id Indicates the authentication key number used to transmit a message to broadcast clients.

If this parameter is not specified, authentication is not performed.

Key ID is an integer and ranges from 1 to 4294967295.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

On a synchronization subnet, when the IP address of a server or a symmetric peer is not determined, or when the clocks on a large number of devices need to be synchronized on the network, you can implement clock synchronization by configuring the broadcast mode.

On a specified interface on the broadcast server, run the ntp-service broadcast-server command to configure an interface on the local device to send NTP broadcast packets. When the local device automatically runs in the broadcast server mode, the device can send synchronization packets to a broadcast client. For the configuration of the broadcast client, see the ntp-service broadcast-client command.

When the configuration is complete, you can run the display ntp-service sessions command to obtain information about sessions between the broadcast server and the client.

Example

# Enable GE0/0/1 to send NTP broadcast packets, with the NTP version as 2 and the key number as 4.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[Huawei-GigabitEthernet0/0/1] ntp-service broadcast-server version 2 authentication-keyid 4

ntp-service discard

Function

The ntp-service discard command sets the minimum inter-packet interval and the average inter-packet interval of NTP.

The undo ntp-service discard command cancels the minimum inter-packet interval and the average inter-packet interval of NTP.

By default, the minimum inter-packet interval is set to the first power of 2 in seconds, namely, 2 seconds, and the average inter-packet interval is set to the fifth power of 2 in seconds, namely, 32 seconds.

Format

ntp-service discard { min-interval min-interval-val | avg-interval avg-interval-val } *

undo ntp-service discard

Parameters

Parameter Description Value
min-interval min-interval-val

Specifies the minimum inter-packet interval of NTP.

The actual value of the minimum inter-packet interval of NTP is the value obtained by raising 2 to the power of min-interval-val, expressed in seconds.

The value of min-interval-val is an integer that ranges from 1 to 8.
avg-interval avg-interval-val

Specifies the average inter-packet interval of NTP.

The actual value of the average inter-packet interval of NTP is the value obtained by raising 2 to the power of avg-interval-val, expressed in seconds.

The value of avg-interval-val is an integer that ranges from 1 to 8.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The minimum inter-packet interval and the average inter-packet interval of NTP are set using the ntp-service discard command. To generate kiss code RATE, we need to set the minimum inter-packet interval and the average inter-packet interval of NTP.

Example

# Set both the minimum inter-packet interval and the average inter-packet interval of NTP to the fourth power of 2, expressed in seconds, namely, 16 seconds.

<Huawei> system-view
[Huawei] ntp-service discard min-interval 4 avg-interval 4

ntp-service enable

Function

The ntp-service enable command enables the NTP service function on the local device.

The undo ntp-service enable command disables the NTP service function on the local device.

By default, the NTP service function on the local device is enabled.

Format

ntp-service enable

undo ntp-service enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The NTP function can be used on a device only after the NTP service on the device is enabled.

Example

# Enable the NTP service on the local device.

<Huawei> system-view
[Huawei] ntp-service enable 

ntp-service in-interface disable

Function

The ntp-service in-interface disable command disables an interface from receiving NTP packets.

The undo ntp-service in-interface disable command enables an interface to receive NTP packets.

By default, an interface is enabled to receive NTP packets.

Format

ntp-service [ ipv6 ] in-interface disable

undo ntp-service [ ipv6 ] in-interface disable

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

The ntp-service [ ipv6 ] in-interface disable command provides a method for access control.

You can disable the interface connected to external devices from receiving NTP packets in either of the following situations:
  • An unreliable clock server exists on the interface. By default, all the interfaces can receive NTP packets after NTP is enabled on the device. However, an unreliable clock source makes NTP clock data inaccurate.
  • The NTP clock data is modified when the interface is attacked maliciously.

Example

# Disable GE0/0/1 from receiving NTP packets.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ntp-service in-interface disable

ntp-service kod-enable

Function

The ntp-service kod-enable command enables the KOD function.

The undo ntp-service kod-enable command disables the KOD functions.

By default, the KOD function is disabled.

Format

ntp-service kod-enable

undo ntp-service kod-enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The Kiss-o'-Death (KOD) is a brand new access control technology put forward by NTPv4, and the KOD is mainly used for a server to provide information, such as a status report and access control, for a client. After the KOD function is enabled on the server, the server sends the kiss code DENY or RATE to the client according to the operating status of the system.

When the kiss code is generated in a specific situation, run the ntp-service kod-enable command.

Follow-up Procedure

After the KOD function is enabled on the server, you can run the ntp-service access limited command to enable control on the rate of incoming NTP packets. When the rate of incoming NTP packets reaches the upper threshold, the server sends the kiss code.

Example

# Enable the KOD function.
<Huawei> system-view
[Huawei] ntp-service kod-enable

ntp-service manycast-client

Function

The ntp-service manycast-client command configures the NTP manycast client mode.

The undo ntp-service manycast-client command cancels the NTP manycast client mode.

By default, the NTP manycast client mode is disabled.

Format

ntp-service manycast-client [ ip-address | ipv6 [ ipv6-address ] ] [ authentication-keyid key-id | ttl ttl-number ] *

undo ntp-service manycast-client [ ip-address | ipv6 [ ipv6-address ] ]

Parameters

Parameter Description Value
ip-address

Specifies a manycast IPv4 address, which is a class D address.

The default IPv4 address is 224.0.1.1.
ipv6 [ ipv6-address ]

Specifies a manycast IPv6 address.

The default IPv6 address is FF0E::0101.
authentication-keyid key-id

Specifies the ID of the authentication key used for sending packets to a manycast server.

The value ranges from 1 to 4294967295.
ttl ttl-number

Specifies the TTL value of a manycast packet.

The value is an integer ranges from 1 to 255.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

The local device runs in the manycast client mode, and periodically sends manycast packets to manycast servers. After the local device receives the reply packet sent by a manycast server, the local device establishes dynamic C/S association with the server. The initial value of the automated key ranges from 65537 to 4294967295.

NOTE:
In the configuration of the manycast client, if the server address is not specified, 224.0.1.1 or FF0E::0101 is adopted as the server address by default.

Example

# Configure interface GE1/0/0 to receive NTP manycast packets. Assign the manycast address FF0E::111 to the manycast IPv6 packets.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] ntp-service manycast-client ipv6 FF0E::111 authentication-keyid 6

ntp-service manycast-server

Function

The ntp-service manycast-server command configures the NTP manycast server mode.

The undo ntp-service manycast-server command cancels the NTP manycast server mode.

By default, the NTP manycast server mode is not configured.

Format

ntp-service manycast-server [ ip-address | ipv6 [ ipv6-address ] ]

undo ntp-service manycast-server [ ip-address | ipv6 [ ipv6-address ] ]

Parameters

Parameter Description Value
ip-address

Specifies a manycast IPv4 address, which is a class D address.

The default IPv4 address is 224.0.1.1.
ipv6 [ ipv6-address ]

Specifies a manycast IPv6 address.

The default IPv6 address is FF0E::0101.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The manycast server responds to the manycast packets sent by the client. After the manycast client receives the reply packet, the manycast client establishes temporary association with the server and enters C/S mode.

Precautions

If the manycast IP address is not specified when the undo ntp-service manycast-server command is run, the local device searches for the default IP address. In IPv4 networks, the default IP address of the manycast server is 224.0.1.1. In IPv6 networks, the default IP address of the manycast server is FF0E::0101. If the local device finds the default IP address, the undo ntp-service manycast-server command takes effect; otherwise, the undo ntp-service manycast-server does not take effect.

Example

# Configure interface GE1/0/0 as an interface of the server. The interface is used for responding to the manycast client request from a manycast address.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] ntp-service manycast-server ipv6 FF0E::111

ntp-service max-dynamic-sessions

Function

The ntp-service max-dynamic-sessions command sets the maximum dynamic NTP sessions that can be set up.

The undo ntp-service max-dynamic-sessions command restores the maximum dynamic NTP sessions to the default value.

By default, up to 100 NTP dynamic sessions are allowed to be set up.

Format

ntp-service max-dynamic-sessions number

undo ntp-service max-dynamic-sessions

Parameters

Parameter Description Value
number

Indicates the number of dynamic sessions allowed to be set up.

The number of dynamic NTP sessions is an integer that ranges from 0 to 100.The default value is 100.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A maximum of 128 sessions can be established on the same device running the NTP service in the same period, including static and dynamic sessions. In both unicast server/client mode and symmetric peer mode, command lines are used to establish static sessions. The dynamic sessions are established in broadcast mode, manycast mode, or multicast mode.

Excessive dynamic sessions directly affect the establishment of static sessions. A user can limit the number of local dynamic sessions solve this problem.

Precautions

When the number of local dynamic sessions on the device is limited,
  • NTP dynamic sessions established are not affected. That is, when the number of the dynamic sessions exceeds the limit, the dynamic sessions established are not deleted, but a new dynamic session cannot be established.
  • The limit on the number of local dynamic sessions allowed should be configured on the client because the server does not record the number of the established NTP sessions.

Example

# Set the maximum NTP dynamic sessions allowed to be set up to 50.

<Huawei> system-view
[Huawei] ntp-service max-dynamic-sessions 50

ntp-service multicast-client

Function

The ntp-service multicast-client command configures the local device to work in NTP multicast client mode.

The undo ntp-service multicast-client command cancels the NTP multicast client mode.

By default, the NTP multicast client mode is not configured.

Format

ntp-service multicast-client [ ip-address | ipv6 [ ipv6-address ] ]

undo ntp-service multicast-client [ ip-address | ipv6 [ ipv6-address ] ]

Parameters

Parameter Description Value
ip-address Indicates the multicast IP address. The default IP address is 224.0.1.1.
ipv6 [ ipv6-address ]

Indicates the multicast IPv6 address.

The default IPv6 address is FF0E::0101.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To perform clock synchronization in multicast mode, you can use the ntp-service multicast-client command to specify the current interface on the local device to receive NTP multicast packets. The local device runs in the multicast client mode.

If the valid multicast server is configured, the local device gets synchronized with the multicast server. The local device time is updated with the time of the server.

Follow-up Procedure

When the configuration is complete, run the display ntp-service sessions command to obtain session information about the multicast server and the local device.

NOTE:

You can configure more than one multicast client with different multicast IP address on the same interface. When multiple multicast clients are configured, the device selects the optimal clock source by selecting a preferred clock.

You can configure a maximum of 1024 multicast clients on the local device, but a maximum of 128 multicast clients can work simultaneously.

Example

# Configure GE0/0/1 to receive NTP multicast packets. The multicast address of the multicast packets is 224.0.1.2.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[Huawei-GigabitEthernet0/0/1] ntp-service multicast-client 224.0.1.2

ntp-service multicast-server

Function

The ntp-service multicast-server command specifies an interface on the local device to send NTP multicast packets. The local device runs in the multicast server mode.

The undo ntp-service multicast-server command cancels the NTP multicast server mode.

By default, the multicast server mode is not configured.

Format

ntp-service multicast-server [ ip-address ] [ version number | authentication-keyid key-id | ttl ttl-number ] *

ntp-service multicast-server [ ipv6 [ ipv6-address ] ] [ authentication-keyid key-id | ttl ttl-number ] *

undo ntp-service multicast-server [ ip-address | ipv6 [ ipv6-address ] ]

Parameters

Parameter Description Value
ip-address Indicates the multicast IP address. The default address is 224.0.1.1.
ipv6 [ ipv6-address ]

Indicates the multicast IPv6 address.

The default IPv6 address is FF0E::0101.
version number

Indicates the NTP version number.

If this parameter is not specified, the version number is a default value.

The value is an integer that ranges from 1 to 4. The default value is 3.

authentication-keyid key-id

Indicates the authentication key ID used when sending messages to the multicast clients.

If this parameter is not specified, authentication is not performed.

The key ID is an integer that ranges from 1 to 4294967295.

ttl ttl-number

Indicates the life span of the multicast packet.

If this parameter is not specified, the life span of the multicast packet is a default value.

The ttl number is an integer that ranges from 1 to 255. The default value is 255.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To perform clock synchronization in the multicast mode, run the ntp-service multicast-server command to specify the current interface on the local device to send NTP multicast packets. The local device runs in the multicast server mode, and functions as the multicast server to periodically send multicast packets to the multicast client.

Follow-up Procedure

When the configuration is complete, run the display ntp-service sessions command to obtain session information about the multicast server and the local device.

NOTE:

You can configure a maximum of 128 multicast servers on the local device.

Example

# Configure GE0/0/1 to send NTP multicast packets. The multicast IPv4 address is 224.0.1.1, the authentication key ID is 4 and the NTP version number is 3.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[Huawei-GigabitEthernet0/0/1] ntp-service multicast-server 224.0.1.1 authentication-keyid 4 version 3

ntp-service refclock-master

Function

The ntp-service refclock-master command sets the local clock to be the NTP primary clock that provides the synchronizing time for other devices.

The undo ntp-service refclock-master command cancels the configuration of the NTP primary clock.

By default, no NTP primary clock is specified.

Format

ntp-service refclock-master [ ip-address ] [ stratum ]

undo ntp-service refclock-master [ ip-address ]

Parameters

Parameter Description Value
ip-address

Specifies the IP address of the local reference clock.

When no IP address is assigned, the local clock whose IP address is 127.127.1.0 is set as the default NTP primary clock.

The value of ip-address is 127.127.1.u, and u ranges from 0 to 3, which represents the number of the selected local clock.

stratum

Specifies the stratum of the NTP primary clock.

If this parameter is not specified, the stratum is a default value.

The value of the stratum is an integer that ranges from 1 to 15. The default value is 8. Timer is accurate if the stratum value is small.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The local clock is the clock of the device itself. Run the ntp-service refclock-master command to set the local clock as the NTP primary clock that provides the synchronization time for other devices.

In NTP, the time synchronization in an NTP synchronization subnet is performed from a smaller level to a larger level, that is, from the 1st level to the 15th level. An authoritative clock is used as a reference time source for the synchronization subnet, and is located at the top of the synchronization subnet. The authoritative clock is stratum0. The current authoritative clock is mostly a Radio Clock or the Global Positioning System. The time of the authoritative clock is synchronized through the broadcast UTC time code other than NTP.

Precautions

A device on the network can perform clock synchronization in the following manners.
  • Synchronizing with the local clock: The local clock is used as the reference clock.
  • Synchronizing with another device on the network: This device is used as an NTP clock server to provide a reference clock for the local end.

If both manners are configured, the device selects an optimal clock source through selecting a preferred clock. That is, clocks determined in the two manners are compared to determine which clock is a lower stratum. The clock of a lower stratum is the preferred clock source.

Example

# Set the local clock to be the NTP primary clock, the stratum of which set to 3.

<Huawei> system-view
[Huawei] ntp-service refclock-master 3

ntp-service reliable authentication-keyid

Function

The ntp-service reliable authentication-keyid command specifies the authentication key to be reliable.

The undo ntp-service reliable authentication-keyid command cancels the current setting.

By default, no authentication key is specified to be reliable.

Format

ntp-service reliable authentication-keyid key-id

undo ntp-service reliable authentication-keyid key-id

Parameters

Parameter Description Value
key-id Indicates the key number.

Key ID is an integer and ranges from 1 to 4294967295.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If the identity authentication is enabled, this command is used to specify that one or more keys are reliable. That is, the client can only be synchronized with the server that provides the reliable key. The client cannot be synchronized with the server that provides unreliable keys.

Example

# Enable the identity authentication in NTP and adopt the hmac-sha256 encryption mode with key number as 37 and the key as BetterKey. Specify the key to be reliable.

<Huawei> system-view
[Huawei] ntp-service authentication enable
[Huawei] ntp-service authentication-keyid 37 authentication-mode hmac-sha256 BetterKey
[Huawei] ntp-service reliable authentication-keyid 37

ntp-service source-interface

Function

The ntp-service source-interface command specifies the local source interface that sends NTP packets.

The undo ntp-service source-interface command cancels the current setting.

By default, the local source interface is not specified for sending NTP packets. The local source interface is automatically determined based on the route.

Format

ntp-service [ ipv6 ] source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]

undo ntp-service [ ipv6 ] source-interface [ vpn-instance vpn-instance-name ]

Parameters

Parameter Description Value
ipv6 Indicates that the network type of the local source interface is IPv6. -
interface-type interface-number Indicates the local interface for sending he NTP packets. -
vpn-instance vpn-instance-name Indicates the name of the VPN instance. The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Configure the local source interface for sending/receiving NTP packets, so that the IP address of another interface on the device cannot be used as the destination address of a reply packet, which is convenient for a user to subsequently deploy a flow control policy. If the interface is not specified, the source IP address of the NTP packets is selected according to the route.

Precautions

For broadcast, multicast, and manycast modes, NTP service is implemented on the specified interface, and this interface is the source interface. Therefore, the ntp-service source-interface command is invalid for broadcast, multicast, and manycast modes.

Example

# Specify GE0/0/1 as the source interface to send all the NTP packets.

<Huawei> system-view
[Huawei] ntp-service source-interface gigabitethernet 0/0/1

ntp-service unicast-peer

Function

The ntp-service unicast-peer command configures NTP peer mode.

The undo ntp-service unicast-peer command cancels the NTP peer mode.

By default, the NTP peer mode is not configured.

Format

ntp-service unicast-peer ip-address [ version number | authentication-keyid key-id | maxpoll max-number | minpoll min-number | source-interface interface-type interface-number | vpn-instance vpn-instance-name | preference ] *

ntp-service unicast-peer ipv6 ipv6-address [ authentication-keyid key-id | maxpoll max-number | minpoll min-number | source-interface interface-type interface-number | vpn-instance vpn-instance-name | preference ] *

undo ntp-service unicast-peer { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Parameters

Parameter Description Value
ip-address Indicates the IPv4 address of the remote peer. The parameter ip-address is a host address and cannot be the broadcast address, the multicast address or the IP address of a reference clock.
ipv6 ipv6-address

Indicates the IPv6 address of the remote server.

The value of ipv6-address is a unicast address, and cannot be the IPv6 address of the reference clock.
version number Indicates the NTP version number. If this parameter is not specified, the default version number is used. The version number is an integer that ranges from 1 to 4. By default, it is 3.
authentication-keyid key-id Indicates the authentication key ID used when transmitting messages to the remote peer. If this parameter is not specified, authentication is not performed.

The key ID is an integer that ranges from 1 to 4294967295.

maxpoll max-number Indicates the maximum NTP poll interval. The value is an integer that ranges from 10 to 17.
minpoll min-number Indicates the minimum NTP poll interval. The value is an integer that ranges from 3 to 6.
source-interface interface-type interface-number Indicates the source interface from which the symmetric active end sends NTP packets to the symmetric passive end. The source IP address of the NTP packets is the IP address of this interface. -
vpn-instance vpn-instance-name Specifies the VPN instance name. The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
preference Indicates the remote peer as the preferred one. By default, the remote peer is not preferred.
NOTE:

Generally, clocks are filtered based on the synchronization distance and dispersion. The clock is preferentially selected from the list of candidate clocks after filtering.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the clock of a device on the network needs to be synchronized in symmetric peer mode, you can run the ntp-service unicast-peer command to configure a remote node as the symmetric peer of the device. The local device runs in symmetric active peer mode. In this mode, the device and the remote peer can synchronize clock with each other.

Precautions

A maximum of 128 peers can be configured for the local device. The optimal symmetric peer is selected as the synchronization source.

When you run the undo ntp-service unicast-peer command with a specified vpn-instance vpn-instance-name, the configuration of the NTP symmetric passive peer with the IP address ip-address on the VPN is canceled. If vpn-instance vpn-instance-name is not specified, the configuration of the NTP symmetric passive peer with the IP address ip-address on the public network.

If the same server is specified in at least 2 commands that are run in sequence to configure the symmetric peer mode, during the configuration restoration, the last run command takes effect. For example, the ntp-service unicast-peer 10.10.1.1 source-interface gigabitethernet 1/0/0 command and the ntp-peer unicast-peer 10.10.1.1 command are run in sequence. During the configuration restoration, only the ntp-service unicast-peer 10.10.1.1 command takes effect.

Example

# Configure the peer 10.10.1.1 to provide the synchronizing time for the local device. The local device can also provide synchronizing time for the peer. The version number is 3. The IP address of the NTP packets is the address of GE0/0/1.

<Huawei> system-view
[Huawei] ntp-service unicast-peer 10.10.1.1 version 3 source-interface gigabitethernet 0/0/1

ntp-service unicast-server

Function

The ntp-service unicast-server command configures the NTP server mode.

The undo ntp-service unicast-server command cancels the NTP server mode.

By default, the NTP server mode is not configured.

Format

ntp-service unicast-server ip-address [ version number | authentication-keyid key-id | maxpoll max-number | minpoll min-number | source-interface interface-type interface-number | vpn-instance vpn-instance-name | preference ] *

ntp-service unicast-server ipv6 ipv6-address [ authentication-keyid key-id | maxpoll max-number | minpoll min-number | source-interface interface-type interface-number | vpn-instance vpn-instance-name | preference ] *

undo ntp-service unicast-server { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Parameters

Parameter Description Value
ip-address Indicates the IPv4 address of the remote server. The value of ip-address must be an IP address of a host, but cannot be a broadcast address, multicast address, or reference clock's IP address.
ipv6 ipv6-address

Indicates the IPv6 address of the remote server.

The value of ipv6-address must be an IP address of a host, but cannot be a broadcast address, multicast address, or reference clock's IP address.
version number Indicates the NTP version number. If this parameter is not specified, the default version number is used. The version number is an integer that ranges from 1 to 4. By default, the version number is 3.
authentication-keyid key-id Indicates the authentication key ID used when messages are transmitted to the remote server. If this parameter is not specified, authentication is not performed.

The key ID is an integer that ranges from 1 to 4294967295.

maxpoll max-number

Indicates the maximum NTP poll interval.

The value is an integer that ranges from 7 to 17.

minpoll min-number

Indicates the minimum NTP poll interval.

The value is an integer that ranges from 3 to 6.

source-interface interface-type interface-number Indicates the source interface from which the unicast client sends NTP packets to the unicast server. The source IP address of the NTP packets is the IP address of this interface.

-

vpn-instance vpn-instance-name

Specifies the VPN instance name.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
preference Indicates the remote server as the preferred one. By default, the remote server is not preferred.
NOTE:

Generally, clocks are filtered based on the synchronization distance and dispersion. The clock is preferentially selected from the list of candidate clocks after filtering.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the clock of a device on the network needs to be synchronized in unicast server/client mode, the command can be run, and the remote server specified by ip-address is used as the local clock server. The local device runs in client mode. In this mode, the local client can be synchronized to the remote server, but the remote server cannot be synchronized to the local client.

If the client is enabled with the authentication function and configured with the corresponding authentication key, the server sends NTP packets with authentication to the client after receiving the synchronization request of the client. The received packets are authenticated by the client. After the authentication succeeds, the clock is synchronized. If the client is not enabled with the authentication function, the server sends NTP packets without authentication to the client after receiving the synchronization request of the client. The clock is synchronized after the client receives the packets.

Precautions

A maximum of 128 servers can be configured for the local device. The optimal symmetric peer is selected as the synchronization source.

If you need to delete a VPN instance, you must check whether the VPN instance is bound to the NTP server to ensure that the configuration can meet the requirements.

When the undo ntp-service unicast-server command is run, if the parameter vpn-instance vpn-instance-name is specified, cancel the configuration of the NTP server with the IP address ip-address in the VPN. If the parameter vpn-instance vpn-instance-name is not specified, cancel the configuration of the NTP server with the IP address ip-address in the public network.

If the same server is specified in at least 2 commands that are run in sequence to configure the NTP server mode, during the configuration restoration, the last run command takes effect. For example, the ntp-service unicast-server 10.10.1.1 source-interface gigabitethernet 1/0/0 command and the ntp-service unicast-server 10.10.1.1 command are run in sequence. During the configuration restoration, only the ntp-service unicast-server 10.10.1.1 command takes effect.

Example

# Configure the server 10.10.1.1 to provide the synchronizing time for the local device. The NTP version number is 3.

<Huawei> system-view
[Huawei] ntp-service unicast-server 10.10.1.1 version 3
# Configure the server 10.10.1.1 with VPN instance "abc" to provide the synchronizing time for the local device.
<Huawei> system-view
[Huawei] ntp-service unicast-server 10.10.1.1 vpn-instance abc
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 36579

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next