No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the NTP

Configuring the NTP

Configuring Basic NTP Functions

You can configure basic NTP functions to enable devices on the network to synchronize clocks.

Pre-configuration Tasks

Before the basic NTP functions are configured, complete the following task:

  • Configuring the network layer address and routing protocol of an interface to ensure that NTP packets can reach the destination.

Configuration Procedure

Basic NTP configuration contains the configuration of the NTP operating mode.

Configuring NTP Operating Modes

Context

The following NTP operating modes are supported by a device:

Operating Mode

Usage Scenario

Deployment Location and Synchronization Direction

Unicast client/server mode

The unicast client/server mode is used on a higher stratum on a synchronization subnet. In this mode, the IP address of the server needs to be obtained in advance.

You need to configure only the client. The server needs to be configured with only an NTP primary clock.

Note that the client can be synchronized to the server but the server cannot be synchronized to the client.

Symmetric peer mode

The symmetric peer mode is used on a lower stratum on the synchronization subnet. In this mode, a symmetric active peer and a symmetric passive peer can be synchronized with each other. To be specific, a symmetric peer of a higher stratum is synchronized to a symmetric peer of a lower stratum.

You need to configure only the symmetric active peer. The symmetric passive peer does not need to be configured with an NTP command.

In symmetric peer mode, a symmetric peer of a higher stratum is synchronized to a symmetric peer of a lower stratum.

Broadcast mode

When the IP address of a server or a symmetric peer is not determined, or when the clocks of a large number of devices need to be synchronized on a network, clock synchronization can be implemented in the broadcast mode.

Relevant commands need to be run on the server and the client.

Note that the client can be synchronized to the server but the server cannot be synchronized to the client.

NOTE:

If a source address from which NTP packets are sent is specified on the server, the address must be the same as the server IP address configured on the client. Otherwise, the client cannot process the NTP packets sent by the server, resulting in failed clock synchronization.

Procedure

  • Unicast Client/Server Mode

    NOTE:

    In the unicast client/server mode, you need to configure only the client. The server needs to be configured with only an NTP primary clock.

    Only after the clock on the server is synchronized, the server can function as a clock server to which other devices can be synchronized. When the clock stratum of the server is greater than or equal to the clock stratum of the client, the client is not synchronized to the server.

    You can run the ntp-service unicast-server command repeatedly to configure multiple servers. The client selects the optimal clock source by selecting a preferred clock.

    Configure the unicast client.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      ntp-service unicast-server ip-address [ version number |  maxpoll max-number | minpoll min-number | authentication-keyid key-id | source-interface interface-type interface-number | preference ] *

      An NTP server is configured.

      The value of ip-address is the IP address of the NTP server. It can be the IP address of a host instead of being a broadcast address, a multicast address, or the IP address of a reference clock.

      To specify the parameter authentication-keyid, see Configuring NTP Authentication.

  • Symmetric Peer Mode

    NOTE:

    Only the IP address of the symmetric passive peer needs to be specified on the symmetric active peer by a user, and both symmetric peers use this IP address to exchange NTP packets.

    One of the symmetric active peer and the symmetric passive peer must be in the synchronized state. Otherwise, they cannot be synchronized.

    You can run the ntp-service unicast-peer command repeatedly to configure multiple symmetric passive peers. When a symmetric active peer has multiple symmetric passive peers configured, the synchronization direction follows the principle that a symmetric peer of a larger stratum is synchronized with a symmetric peer of a smaller stratum.

    Configure the symmetric active peer.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      ntp-service unicast-peer ip-address [ version number |  maxpoll max-number | minpoll min-number | authentication-keyid key-id | source-interface interface-type interface-number | preference ] *

      The NTP peer with a specified IP address is configured.

      The value of ip-address must be a unicast address, and cannot be a broadcast address, a multicast address or the IP address of the local clock.

      To specify the parameter authentication-keyid, see Configuring NTP Authentication.

  • Broadcast Mode

    NOTE:

    The broadcast mode can be used only on a local area network (LAN).

    Only after the clock of the broadcast server is synchronized, the broadcast client can be synchronized with the broadcast server.

    Configure the NTP broadcast server.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface  interface-type interface-number

      The interface for sending NTP broadcast packets is specified, and the interface view is displayed.

    3. Run:

      ntp-service broadcast-server [ version number | authentication-keyid key-id ] *

      The local access point is configured as the NTP broadcast server.

      To specify the parameter authentication-keyid, see Configuring NTP Authentication.

    Configure the NTP broadcast client.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface  interface-type interface-number

      The interface for receiving NTP broadcast packets is specified, and the interface view is displayed.

    3. Run:

      ntp-service broadcast-client

      The local access point is configured as the NTP broadcast client.

Checking the Configuration

Prerequisites

All configurations of basic NTP functions are completed.

Procedure

  • Run the display ntp-service status command to check the NTP service status.
  • Run the display ntp-service sessions [ verbose ] command to check the NTP session status.
  • Run the display ntp-service trace command to check the path of reference clock source from the local device.

Configuring the Local Source Interface for Sending and Receiving NTP Packets

You can configure a local source interface for sending and receiving NTP packets to prevent the IP addresses of other interfaces on the device becoming the destination address of a reply packet. This facilitates deployment of traffic control policies.

Prerequisites

All configurations of basic NTP functions have been completed.

NOTE:

If the ntp-service unicast-server or the ntp-service unicast-peer command specifies the source interface of NTP packets, the specified source interface takes effect.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp-service source-interface interface-type interface-number

    The local source interface for sending and receiving NTP packets is configured.

    By default, the local source interface for sending NTP packets is not specified. The source IP address of an NTP packet is selected according to the route.

    In the broadcast mode, the NTP service is performed on the source interface and the ntp-service source-interface command does not take effect.

    If the specified NTP source interface is in Down state, the source IP address of a sent NTP packet is the primary IP address of the packet's outbound interface.

Checking the Configuration
  • Run the display current-configuration | include ntp command to check the configuration about the local source interface for sending and receiving NTP packets.

Limit on the Number of Local Dynamic Sessions

Excess dynamic sessions limit the number of static sessions. To address this problem, you can limit the number of dynamic sessions on the device.

Prerequisites

All configurations of basic NTP functions have been completed.

Context

In both unicast client/server mode and symmetric peer mode, command lines are used to establish a connection, which is a static session. Dynamic sessions are established in broadcast mode and multicast mode, so that the limit on the number of local dynamic sessions takes effect.

NOTE:

The ntp-service max-dynamic-sessions command runs without affecting the existing NTP sessions. When the number of local dynamic NTP sessions exceeds the maximum number, a new session cannot be established.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp-service max-dynamic-sessions number

    The number of local dynamic sessions that can be established is configured.

    By default, a maximum of 100 NTP dynamic sessions can be established.

Checking the Configuration
  • Run the display current-configuration | include ntp command to check the number of local dynamic sessions that can be established.

Configuring NTP Access Control

On networks requiring high security, you can use NTP security functions to prevent malicious attacks from modifying NTP packets.

Prerequisites

All configurations of basic NTP functions have been completed.

Configuration Order

You can perform the following configuration tasks in any sequence as required.

Disabling a Specified Interface from Receiving NTP Packets

Context

You can disable the interface connected to external devices from receiving NTP packets in the following scenarios:
  • An unreliable clock server exists on the interface. After the NTP functions are enabled, all interfaces can receive NTP packets by default. However, an unreliable clock source makes NTP clock data inaccurate.
  • The NTP clock data are modified when the interface is attacked maliciously.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface  interface-type interface-number

    The interface for receiving NTP packets is specified.

  3. Run:

    ntp-service in-interface disable

    The interface is disabled from receiving NTP packets.

Disabling the NTP Service Function

Context

You can disable NTP services to prevent the device from being synchronized with the clock of an external server or a symmetric peer, or when the device does not need to provide a clock reference source for external clients.
NOTE:

The existing configuration is not deleted when the NTP service function is disabled.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    undo ntp-service enable

    The NTP service function on the device is disabled.

    By default, the NTP service function on the local device is disabled.

  3. Run:

    ntp-service server disable

    NTP server function is disabled on the device.

    By default, NTP server is enabled.

Configuring NTP Access Control Authority

Context

NTP access control is a simple security measure. When an access request reaches the local end, the access request is successively matched with the access authority from the maximum one to the minimum one. The first successfully matched access authority takes effect. The matching order is: peer, server, synchronization, and query.
  • peer: indicates the maximum access authority. The remote end can perform time requests and control queries for the local NTP service. The local clock can also be synchronized with the clock of the remote server.

  • server: indicates that the remote end can send a time request and a control query to the local end. The local clock, however, cannot be synchronized with the clock of the remote server.

  • synchronization: indicates that the remote end can perform only the time request to the local end.

  • query: indicates the minimum access authority. The remote end can only perform the control query to the local end.

The access control authority is configured on different devices in different NTP operating modes, as described in Table 5-19.

Table 5-19  Configuration of the NTP access control authority

NTP Operating Mode

Restricted NTP Request Type

Configured Device

Unicast NTP client/server mode

The client is restricted from synchronizing to the server.

Client

Unicast NTP client/server mode

The server is restricted from processing the clock synchronization request sent by the client.

Server

NTP symmetric peer mode

A symmetric passive peer and a symmetric active peer are restricted from synchronizing with each other.

Symmetric active peer

NTP symmetric peer mode

The symmetric passive peer is restricted from processing the clock request sent by the symmetric active peer.

Symmetric passive peer

NTP multicast mode

The client is restricted from synchronizing to the server.

NTP multicast client

NTP broadcast mode

The client is restricted from synchronizing to the server.

NTP broadcast client

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure the basic ACL.

    Before configuring the access control rights, you must create a basic ACL. For the creation procedure, see ACL Configuration.

  3. Run:

    ntp-service access { peer | query | server | synchronization } acl-number

    The access control authority of the NTP service is configured.

    By default, no access control authority is set.

    NOTE:
    Check the configuration of the ACL rule before configuring the NTP access control authority in the ACL. When the ACL rule is permit, the peer device with the source IP address specified in this rule can access the NTP service on the local device. The access right of the peer device is configured using the ntp-service access command. When the ACL rule is deny, the peer device with the source IP address specified in this rule cannot access the NTP service on the local device.

Configuring KOD

Context

The Kiss-o'-Death (KOD) is a brand new access control technology put forward by NTPv4, and the KOD is mainly used for a server to provide information, such as a status report and access control, for a client.

After the KOD is enabled on the server, the server sends the kiss code DENY or the kiss code RATE to the client according to the operating status of the system.

  • When receiving the kiss code DENY, the client terminates all connections with the server, and stops sending packets to the server.
  • When receiving the kiss code RATE, the client immediately shortens a poll interval with the server. Every time the kiss code RATE is received after the first shortening operation, the poll interval is further shortened.
NOTE:

The KOD supports the unicast client/server mode, symmetric peer mode, and manycast mode.

The KOD only functions in NTPv4.

The following configuration is performed on the server.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp-service kod-enable

    The KOD function is enabled.

    By default, the KOD function is disabled.

  3. Configure the basic ACL.

    Before configuring the access control rights, you must create a basic ACL. For the creation procedure, see ACL Configuration.

  4. Run:

    ntp-service access limited acl-number

    Control on the rate of incoming NTP packets is enabled.

    By default, control on the rate of incoming NTP packets is disabled.

    NOTE:

    Before enabling control on the rate of incoming NTP packets, check the ACL rule configuration. When the ACL rule is deny, the server sends the kiss code DENY. When the ACL is permit and the rate of incoming NTP packets reaches the upper threshold, the server sends the kiss code RATE.

  5. Run:

    ntp-service discard { min-interval min-interval-val | avg-interval avg-interval-val } * 

    The minimum inter-packet interval and the average inter-packet interval of NTP are configured.

    By default, the minimum inter-packet interval of NTP is set to the first power of 2 in seconds, namely, 2 seconds, and the average inter-packet interval of NTP is set to the fifth power of 2 in seconds, namely, 32 seconds.

Configuring NTP Authentication

Context

In some networks demanding high security, the authentication function needs to be enabled when you use the NTP protocol. Password authentication of a client and a server ensures that the client only synchronizes with a device that has been authenticated, improving the network security.

When configuring the NTP authentication function, note the following rules:

  • The NTP authentication function must be enabled first; otherwise, authentication cannot be implemented.

  • The NTP authentication function needs to be configured on both the client and the server. Otherwise, the NTP authentication function does not take effect.

  • If the NTP authentication function is enabled, a trusted key is configured on the client.

  • Keys configured on the server and the client must be identical.

  • The device that wants to synchronize its clock should declare its key as reliable.Otherwise, NTP authentication will fail.

NOTE:

In NTP symmetric peer mode, the symmetric active peer functions as a client and the symmetric passive peer functions as a server.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ntp-service authentication enable

    The NTP authentication function is enabled.

  3. Run:

    ntp-service authentication-keyid key-id authentication-mode { md5 | hmac-sha256 } [ cipher ] password

    The NTP authentication key is configured.

  4. Run:

    ntp-service reliable authentication-keyid key-id

    The reliable key is specified.

Follow-up Procedure

After the configuration of the NTP authentication is completed, apply the NTP authentication key in Configuring NTP Operating Modes. That is, specify the parameter authentication-keyid.

Checking the Configuration

Prerequisites

The configuration of NTP access control is completed.

Procedure

  • Run the display current-configuration | include ntp command to check the NTP configuration.
  • Run the display ntp-service status command to check the NTP service status.
  • Run the display ntp-service sessions [ verbose ] command to check the NTP session status.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116370

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next