CLI: Example for Configuring NTP Authentication in Unicast Server and Client Mode

In client/server mode, the clock on the client synchronizes with the master clock on the server.

Prerequisites

Before the configuration, ensure that the time zone of the client is the same as that of the server. If they are inconsistent, run the clock timezone time-zone-name { add | minus } offset command to adjust the time zone.

Networking Requirements

As shown in Figure 1,

FW_A functions as a unicast NTP server. The clock on it functions as a primary NTP clock with the stratum being 2.
FW_B functions as a unicast NTP client. Its clock needs to be synchronized with the clock on FW_A.
FW_C and FW_D function as NTP clients of FW_B.
Enable NTP authentication.

Figure 1 Networking diagram of the unicast client/server mode

Configuration Roadmap

The configuration roadmap is as follows:

Configure FW_A to be an NTP server and configure a primary clock on it.
Configure FW_B to be an NTP client and synchronize its clock with the clock of FW_A.
Configure FW_C and FW_D to synchronize their clocks with the clock of FW_B.
Enable NTP authentication on all FWs.

You must enable NTP authentication on the client prior to specifying the IP address of the NTP server and authentication key to be sent to the server; otherwise, NTP authentication is not performed before clock synchronization.
To implement authentication successfully, configure both the server and the client.

Procedure

Configure the IP addresses and route based on Figure 1, add interfaces to corresponding security zones and configure security policy between security zones to ensure normal network communication. The detailed procedures are not mentioned here.
Configure a primary NTP clock on FW_A and enable NTP authentication.
# On FW_A, set its local clock as a primary NTP clock with stratum being 2.
```
<FW_A> system-view
[FW_A] ntp-service refclock-master 2
```
# Enable the NTP server function.
```
[FW_A] undo ntp-service server disable
```
# Enable NTP authentication, configure the authentication key, and declare the key to be reliable.
```
[FW_A] ntp-service authentication enable
[FW_A] ntp-service authentication-keyid 42 authentication-mode md5 Hello123
[FW_A] ntp-service reliable authentication-keyid 42
```
Note that authentication keys configured on the server and the client should be the same.
Enable the NTP server function on FW_B.
```
[FW_B] undo ntp-service server disable
```
Configure a primary NTP clock on FW_B and enable NTP authentication.

Before you configure the NTP clock, check whether a local clock has been configured on FW_B. If a local clock has been configured on FW_B, you are advised to turn it off to prevent it from affecting the verification results.

# On FW_B, enable NTP authentication. Configure the authentication key and declare the key to be reliable.
```
<FW_B> system-view
[FW_B] ntp-service authentication enable
[FW_B] ntp-service authentication-keyid 42 authentication-mode md5 Hello123
[FW_B] ntp-service reliable authentication-keyid 42
```
# Specify FW_A to be the NTP server of FW_B and use the authentication key.
```
[FW_B] ntp-service unicast-server 2.2.2.2 authentication-keyid 42
```

On FW_C, specify FW_B to be the NTP server of FW_C.

<FW_C>system-view
[FW_C] ntp-service authentication enable
[FW_C] ntp-service authentication-keyid 42 authentication-mode md5 Hello123
[FW_C] ntp-service reliable authentication-keyid 42
[FW_C] ntp-service unicast-server 10.0.0.1 authentication-keyid 42

On FW_D, specify FW_B to be the NTP server of FW_D.

<FW_D>system-view
[FW_D] ntp-service authentication enable
[FW_D] ntp-service authentication-keyid 42 authentication-mode md5 Hello123
[FW_D] ntp-service reliable authentication-keyid 42
[FW_D] ntp-service unicast-server 10.0.0.1 authentication-keyid 42

Verify the configuration.

After the configuration is complete, the clock on FW_B can be synchronized with the clock on FW_A.

View the NTP status on FW_B and find that the clock is synchronized. The stratum of the clock is 3, one stratum lower than that on FW_A.

[FW_B]display ntp-service status
 clock status: synchronized
 clock stratum: 3
 reference clock ID: 2.2.2.2
 nominal frequency: 60.0002 Hz
 actual frequency: 60.0002 Hz
 clock precision: 2^18
 clock offset: 3.8128 ms
 root delay: 31.26 ms
 root dispersion: 74.20 ms
 peer dispersion: 34.30 ms
 reference time: 11:55:56.833 UTC Mar 2 2006(C7B15BCC.D5604189)
synchronization state: spike (clock will be set in 1010 secs)

After the configuration is complete, the clock on FW_C can be synchronized with the clock on FW_B.

View the NTP status on FW_C and find that the clock is synchronized. The stratum of the clock is 4, one stratum lower than that on FW_B.

[FW_C] display ntp-service status
 clock status: synchronized
 clock stratum: 4
 reference clock ID: 10.0.0.1
 nominal frequency: 60.0002 Hz
 actual frequency: 60.0002 Hz
 clock precision: 2^18
 clock offset: 3.8128 ms
 root delay: 31.26 ms
 root dispersion: 74.20 ms
 peer dispersion: 34.30 ms
 reference time: 11:55:56.833 UTC Mar 2 2006(C7B15BCC.D5604189)
synchronization state: spike (clock will be set in 1010 secs)

View the NTP status on FW_D and find that the clock is synchronized. The stratum of the clock is 4, one stratum lower than that on FW_B.

[FW_D] display ntp-service status
 clock status: synchronized
 clock stratum: 4
 reference clock ID: 10.0.0.1
 nominal frequency: 60.0002 Hz
 actual frequency: 60.0002 Hz
 clock precision: 2^18
 clock offset: 3.8128 ms
 root delay: 31.26 ms
 root dispersion: 74.20 ms
 peer dispersion: 34.30 ms
 reference time: 11:55:56.833 UTC Mar 2 2006(C7B15BCC.D5604189)
synchronization state: spike (clock will be set in 1010 secs)

View NTP status on FW_A.

[FW_A] display ntp-service status
 clock status: synchronized
 clock stratum: 2
 reference clock ID: LOCAL(0)
 nominal frequency: 60.0002 Hz
 actual frequency: 60.0002 Hz
 clock precision: 2^18
 clock offset: 0.0000 ms
 root delay: 0.00 ms
 root dispersion: 26.50 ms
 peer dispersion: 10.00 ms
 reference time: 12:01:48.377 UTC Mar 2 2006(C7B15D2C.60A15981)
synchronization state: spike (clock will be set in 1010 secs)

Configuration Scripts

Configuration script of FW_A

#
 sysname FW_A
#
ospf 1
 area 0.0.0.0
  network 2.2.2.0 0.0.0.255
#
ntp-service authentication enable
ntp-service authentication-keyid 42 authentication-mode md5 cipher %^%#H_{{GB(Q=KT+t9!Np.]6K3cDB]/F6*Z431"-74mM%^%#
ntp-service reliable authentication-keyid 42
ntp-service refclock-master 2
undo ntp-service server disable
#
interface GigabitEthernet 0/0/2  
 ip address 2.2.2.2 255.255.255.0
#
return

Configuration script of FW_B

#
 sysname FW_B
#
ospf 1
 area 0.0.0.0
  network 10.0.1.0 0.0.0.255
  network 10.0.0.0 0.0.0.255
#
ntp-service authentication enable
ntp-service authentication-keyid 42 authentication-mode md5 cipher %^%#wjk1SSTnpSK.#}Wel^)B[ZpjUdx8k87qP4L9YXn@%^%#
ntp-service reliable authentication-keyid 42
ntp-service unicast-server 2.2.2.2 authentication-keyid 42
#
interface GigabitEthernet 0/0/2  
 ip address 10.0.0.1 255.255.255.0
#
interface GigabitEthernet 0/0/1
 ip address 10.0.1.1 255.255.255.0
#
return

Configuration script of FW_C

#
 sysname FW_C
#
 ntp-service authentication enable
 ntp-service authentication-keyid 42 authentication-mode md5 cipher %^%#ca^1S.TnpbA12aJK2l![JE1=)UdvX182qAYL4Ho@%^%#
 ntp-service reliable authentication-keyid 42
 ntp-service unicast-server 10.0.0.1 authentication-keyid 42
#
interface GigabitEthernet 0/0/2  
 ip address 10.0.0.2 255.255.255.0
#
 return

Configuration script of FW_D

#
 sysname FW_D
#
 ntp-service authentication enable
 ntp-service authentication-keyid 42 authentication-mode md5 cipher %^%#6[`eHWP|E0\xJpC\InVBrY.|8rP(L-tJ^21e~aLm%^%#
 ntp-service reliable authentication-keyid 42
 ntp-service unicast-server 10.0.0.1 authentication-keyid 42
#
 interface GigabitEthernet 0/0/2  
 ip address 10.0.0.3 255.255.255.0
#
 return