CLI: Example for Configuring NTP Authentication in Broadcast Mode

On a LAN, the device with the most precise clock is specified as the NTP server. Clocks on other devices synchronize with the clock on the NTP server.

Prerequisites

Before the configuration, ensure that the time zone of the client is the same as that of the server. If they are inconsistent, run the clock timezone time-zone-name { add | minus } offset command to adjust the time zone.

Networking Requirements

As shown in Figure 1,

FW_C and FW_D are in the same network segment; FW_A is in another network segment; FW_F connects with the two network segments.
FW_C functions as the NTP broadcast server and its local clock is the NTP primary clock with the stratum being 3. Broadcast packets are sent from GigabitEthernet 0/0/2.
FW_D and FW_A sense the broadcast packets respectively on GigabitEthernet 0/0/2 of them.
Enable NTP authentication.

Figure 1 Networking diagram of the NTP broadcast mode

Configuration Roadmap

The configuration roadmap is as follows:

Configure FW_C as an NTP broadcast server.
Configure FW_A and FW_D as the NTP broadcast clients.
Configure NTP authentication on FW_A, FW_C, and FW_D.

Procedure

Configure the IP addresses and route based on Figure 1, add interfaces to corresponding security zones and configure security policy between security zones to ensure normal network communication. The detailed procedures are not mentioned here.

Configure an NTP broadcast server and enable NTP authentication on it.

# Set the local clock of FW_C as a primary clock with stratum being 3.

<FW_C> system-view
[FW_C] ntp-service refclock-master 3

# Enable the NTP server function.

[FW_C] undo ntp-service server disable

# Enable NTP authentication.

[FW_C] ntp-service authentication enable
[FW_C] ntp-service authentication-keyid 16 authentication-mode md5 Hello123
[FW_C] ntp-service reliable authentication-keyid 16

# Configure FW_C to be an NTP broadcast server. Broadcast packets are encrypted by using the authentication key ID 16 and then sent from GigabitEthernet 0/0/2.

[FW_C] interface GigabitEthernet 0/0/2
[FW_C-GigabitEthernet 0/0/2] ntp-service broadcast-server authentication-keyid 16
[FW_C-GigabitEthernet 0/0/2] quit

Configure FW_D.

# Enable NTP authentication.

<FW_D> system-view
[FW_D] ntp-service authentication enable
[FW_D] ntp-service authentication-keyid 16 authentication-mode md5 Hello123
[FW_D] ntp-service reliable authentication-keyid 16

# Configure FW_D to be the NTP broadcast client. FW_D senses the broadcast packets on GigabitEthernet 0/0/2.

[FW_D] interface GigabitEthernet 0/0/2
[FW_D-GigabitEthernet 0/0/2] ntp-service broadcast-client
[FW_D-GigabitEthernet 0/0/2] quit

After the configuration is complete, the clock on FW_D can be synchronized to the clock on FW_C.

Configure FW_A.

# Enable NTP authentication.

[FW_A] ntp-service authentication enable
[FW_A] ntp-service authentication-keyid 16 authentication-mode md5 Hello123
[FW_A] ntp-service reliable authentication-keyid 16

# Configure FW_A to be the NTP broadcast client. FW_A senses the NTP broadcast packets on GigabitEthernet 0/0/2.

[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet 0/0/2]  ntp-service broadcast-client
[FW_A-GigabitEthernet 0/0/2]  quit

Verify the configuration.
After the configuration is complete, the clock on Route D can be synchronized with the clock on FW_C. The clock on FW_A, however, fails to be synchronized because FW_A and FW_C are in different network segments and FW_A cannot sense the broadcast packets sent from FW_C.

Check the NTP status on FW_D and you can find that the clock status is "synchronized". That is, clock synchronization completes. The stratum of the clock on FW_D is 4, one stratum lower than that on FW_C.
```
 [FW_D] display ntp-service status
 clock status: synchronized
 clock stratum: 4
 reference clock ID: 10.1.1.2
 nominal frequency: 60.0002 Hz
 actual frequency: 60.0002 Hz
 clock precision: 2^18
 clock offset: 0.0000 ms
 root delay: 0.00 ms
 root dispersion: 0.42 ms
 peer dispersion: 0.00 ms
 reference time: 12:17:21.773 UTC Mar 7 2006(C7B7F851.C5EAF25B)
synchronization state: spike (clock will be set in 1010 secs)
```

Configuration Scripts

Configuration script of FW_A

#
 sysname FW_A
#
ospf 1
 area 0.0.0.0
  network 10.0.1.0 0.0.0.255
#
 ntp-service authentication enable
 ntp-service authentication-keyid 16 authentication-mode md5 cipher %^%#H_{{GB(Q=KT+t9!Np.]6K3cDB]/F6*Z431"-74mM%^%#
 ntp-service reliable authentication-keyid 16
#
interface GigabitEthernet 0/0/2  
 undo shutdown
 ip address 10.0.1.1 255.255.255.0
 ntp-service broadcast-client
#
return

Configuration script of FW_C

#
 sysname FW_C
#
 ntp-service authentication enable
 ntp-service authentication-keyid 16 authentication-mode md5 cipher %^%#wjk1SSTnpSK.#}Wel^)B[ZpjUdx8k87qP4L9YXn@%^%#
 ntp-service reliable authentication-keyid 16
 ntp-service refclock-master 3
 undo ntp-service server disable
#
interface GigabitEthernet 0/0/2  
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
 ntp-service broadcast-server authentication-keyid 16
#
return

Configuration script of FW_D

#
 sysname FW_D
#
 ntp-service authentication enable
 ntp-service authentication-keyid 16 authentication-mode md5 cipher %^%#ca^1S.TnpbA12aJK2l![JE1=)UdvX182qAYL4Ho@%^%#
 ntp-service reliable authentication-keyid 16
#
interface GigabitEthernet 0/0/2  
 undo shutdown
 ip address 10.1.1.3 255.255.255.0
 ntp-service broadcast-client
#
Return

Configuration script of FW_F

#
 sysname FW_F
#
ospf 1
 area 0.0.0.0
  network 10.0.1.0 0.0.0.255
  network 10.1.1.0 0.0.0.255
#
interface GigabitEthernet 0/0/2  
 undo shutdown
 ip address 10.0.1.2 255.255.255.0
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
return